CVE-2022-41317

An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 76%
VendorProductVersion
squid-cachesquid
4.9 ≤
𝑥
≤ 4.17
squid-cachesquid
5.0.6 ≤
𝑥
< 5.7
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
squid
bullseye (security)
4.13-10+deb11u3
fixed
bullseye
4.13-10+deb11u3
fixed
bookworm
5.7-2+deb12u2
fixed
bookworm (security)
5.7-2+deb12u2
fixed
sid
6.12-1
fixed
trixie
6.12-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
squid
kinetic
Fixed 5.6-1ubuntu3
released
jammy
Fixed 5.2-1ubuntu4.2
released
focal
Fixed 4.10-1ubuntu1.7
released
bionic
dne
xenial
dne
trusty
dne
squid3
jammy
dne
focal
dne
bionic
not-affected
xenial
not-affected
trusty
not-affected
Common Weakness Enumeration
References
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_1.patch
http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_1.patch
https://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq
https://www.openwall.com/lists/oss-security/2022/09/23/1
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_1.patch
http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_1.patch
https://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq
https://www.openwall.com/lists/oss-security/2022/09/23/1