{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-41317", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T12:42:46.213Z", "dateReserved": "2022-09-23T00:00:00", "datePublished": "2022-12-25T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-12-25T00:00:00"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq"}, {"url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_1.patch"}, {"url": "http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_1.patch"}, {"url": "https://www.openwall.com/lists/oss-security/2022/09/23/1"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:42:46.213Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq", "tags": ["x_transferred"]}, {"url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_1.patch", "tags": ["x_transferred"]}, {"url": "http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_1.patch", "tags": ["x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2022/09/23/1", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*", "matchCriteriaId": "12D3C02F-A954-4850-BF8E-B1C57531AD1E", "versionEndIncluding": "4.17", "versionStartIncluding": "4.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*", "matchCriteriaId": "0AA329B0-3111-4416-A9F0-32ED782323ED", "versionEndExcluding": "5.7", "versionStartIncluding": "5.0.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Squid 4.9 a 4.17 y 5.0.6 a 5.6. Debido al manejo inconsistente de los URI internos, puede haber exposici\u00f3n de informaci\u00f3n confidencial sobre los clientes que usan el proxy a trav\u00e9s de una solicitud HTTPS a una URL del administrador de cach\u00e9 interno. Esto se solucion\u00f3 en 5.7."}], "id": "CVE-2022-41317", "lastModified": "2024-11-21T07:23:02.073", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-25T19:15:10.767", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_1.patch"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_1.patch"}, {"source": "cve@mitre.org", "tags": ["Mitigation", "Patch", "Third Party Advisory"], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Mitigation", "Patch", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2022/09/23/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_1.patch"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_1.patch"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Patch", "Third Party Advisory"], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Mitigation", "Patch", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2022/09/23/1"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-697"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "squid: exposure of sensitive information in cache manager", "id": "2129770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129770"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-284->CWE-200", "details": ["An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7.", "A flaw was found in squid. A trusted client can directly access the cache manager information, bypassing the manager ACL protection and resulting in information disclosure."], "mitigation": {"lang": "en:us", "value": "Adding the following line to the squid.conf file is a workaround:\nacl manager url_regex +i ^[^:]+://[^/]+/squid-internal-mgr/"}, "name": "CVE-2022-41317", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "squid34", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "squid:4/squid", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2022-09-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-41317\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-41317\nhttps://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq"], "threat_severity": "Moderate"}