Published: 25/12/2022 Updated: 08/08/2023

CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8

VMScore: 0

An issue exists in Squid 4.9 up to and including 4.17 and 5.0.6 up to and including 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7.

Vulnerable Product	Search on Vulmon	Subscribe to Product
squid-cache squid

Debian Bug report logs - #1020587 squid: CVE-2022-41317 Package: src:squid; Maintainer for src:squid is Luigi Gangitano <luigi@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 23 Sep 2022 20:18:06 UTC Severity: important Tags: security, upstream Found in versions squid/413-10, squid/56 ...

Several security issues were fixed in Squid ...

Several vulnerabilities were discovered in Squid, a fully featured web proxy cache, which could result in exposure of sensitive information in the cache manager (CVE-2022-41317), or denial of service or information disclosure if Squid is configured to negotiate authentication with the SSPI and SMB authentication helpers (CVE-2022-41318) For the st ...

An issue was discovered in Squid before 415 and 5x before 506 Due to a buffer-management bug, it allows a denial of service When resolving a request with the urn: scheme, the parser leaks a small amount of memory However, there is an unspecified attack methodology that can easily trigger a large amount of memory consumption (CVE-2021-28651) ...

Description This CVE is under investigation by Red Hat Product Security ...

A flaw was found in squid A trusted client can directly access the cache manager information, bypassing the manager ACL protection and resulting in information disclosure (CVE-2022-41317) ...

An issue was discovered in Squid before 415 and 5x before 506 Due to a buffer-management bug, it allows a denial of service When resolving a request with the urn: scheme, the parser leaks a small amount of memory However, there is an unspecified attack methodology that can easily trigger a large amount of memory consumption (CVE-2021-28651) ...

An issue was discovered in Squid through 47 and 5 When receiving a request, Squid checks its cache to see if it can serve up a response It does this by making a MD5 hash of the absolute URL of the request If found, it servers the request The absolute URL can include the decoded UserInfo (username and password) for certain protocols This decod ...

Severity Unknown Remote Unknown Type Unknown Description AVG-2816 squid 56-1 57-1 Unknown Unknown wwwopenwallcom/lists/oss-security/2022/09/23/1 wwwsquid-cacheorg/Versions/v5/changesets/S ...

CWE-697 http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_1.patch http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_1.patch https://www.openwall.com/lists/oss-security/2022/09/23/1 https://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020587 https://ubuntu.com/security/notices/USN-5641-1 https://nvd.nist.gov https://www.debian.org/security/2022/dsa-5258

CVE-2022-41317

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect