Cross-site Request Forgery (CSRF) Affecting squid3 package, versions <3.5.23-5+deb9u2


Severity

Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.37% (73rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Request Forgery (CSRF) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DEBIAN9-SQUID3-481911
  • published10 Nov 2019
  • disclosed26 Nov 2019

Introduced: 10 Nov 2019

CVE-2019-18677  (opens in a new tab)
CWE-352  (opens in a new tab)

How to fix?

Upgrade Debian:9 squid3 to version 3.5.23-5+deb9u2 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream squid3 package and not the squid3 package as distributed by Debian. See How to fix? for Debian:9 relevant fixed versions and status.

An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins it should not be delivered to.

CVSS Scores

version 3.1