CVE-2019-18678

Name of the Vulnerable Software and Affected Versions Squid versions 3.x through 4.8

Description The issue allows attackers to smuggle HTTP requests through frontend software to a Squid instance, corrupting caches with attacker-controlled content at arbitrary URLs. This is related to a request header containing whitespace between a header name and a colon. The effects are isolated to software between the attacker client and Squid, with no effects on Squid itself or any upstream servers. The vulnerability is associated with a lack in the interpretation of HTTP requests, which can be exploited by a remote attacker to impact data integrity.

Recommendations For Squid versions 3.x through 4.8, consider restricting access to the vulnerable request header processing mechanism until a patch is available. As a temporary workaround, avoid using request headers with whitespace between the header name and a colon to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.