PT-2017-7668 · Squid+5 · Squid Http Proxy+6

Saulius Lapinskas

Published

2014-04-24

Updated

2024-06-15

CVE-2016-10002

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Squid HTTP Proxy versions 3.1.10 through 3.1.23 Squid HTTP Proxy versions 3.2.0.3 through 3.5.22 Squid HTTP Proxy versions 4.0.1 through 4.0.16

Description The issue arises from the incorrect processing of responses to If-None-Modified HTTP conditional requests, leading to the leakage of client-specific Cookie data to other clients. An attacker can craft requests to probe a cache for this sensitive information.

Recommendations For Squid HTTP Proxy versions 3.1.10 through 3.1.23, update to a version outside of this range to mitigate the issue. For Squid HTTP Proxy versions 3.2.0.3 through 3.5.22, update to a version outside of this range to mitigate the issue. For Squid HTTP Proxy versions 4.0.1 through 4.0.16, update to a version outside of this range to mitigate the issue. As a temporary workaround, consider restricting access to the cache to minimize the risk of exploitation.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

ALT-PU-2014-1531

ALT-PU-2016-2464

CESA-2017_0182

CESA-2017_0183

CVE-2016-10002

DLA-763-1

DSA-3745-1

MGASA-2016-0423

OPENSUSE-SU-2024:11403-1

RHSA-2017:0182

RHSA-2017:0183

RHSA-2017_0182

RHSA-2017_0183

SUSE-SU-2017:0110-1

SUSE-SU-2017:0116-1

SUSE-SU-2017:0128-1

USN-3192-1

Affected Products

Alt Linux

Centos

Red Hat

Squid Cache

Squid Http Proxy

Suse

Ubuntu

PT-2017-7668 · Squid+5 · Squid Http Proxy+6

CVE-2016-10002

Weakness Enumeration

Related Identifiers

Affected Products

References · 117