{"api_version":"1","generated_at":"2026-04-23T02:35:34+00:00","cve":"CVE-2019-18678","urls":{"html":"https://cve.report/CVE-2019-18678","api":"https://cve.report/api/cve/CVE-2019-18678.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-18678","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-18678"},"summary":{"title":"CVE-2019-18678","description":"An issue was discovered in Squid 3.x and 4.x through 4.8. It allows attackers to smuggle HTTP requests through frontend software to a Squid instance that splits the HTTP Request pipeline differently. The resulting Response messages corrupt caches (between a client and Squid) with attacker-controlled content at arbitrary URLs. Effects are isolated to software between the attacker client and Squid. There are no effects on Squid itself, nor on any upstream servers. The issue is related to a request header containing whitespace between a header name and a colon.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2019-11-26 17:15:00","updated_at":"2023-11-07 03:06:00"},"problem_types":["CWE-444"],"metrics":[],"references":[{"url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html","name":"[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2278-1] squid3 security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/","name":"FEDORA-2019-0b16cbdd0e","refsource":"FEDORA","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] Fedora 30 Update: squid-4.9-2.fc30 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202003-34","name":"GLSA-202003-34","refsource":"GENTOO","tags":[],"title":"Squid: Multiple vulnerabilities (GLSA 202003-34) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch","name":"http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch","refsource":"CONFIRM","tags":["Release Notes"],"title":"","mime":"text/x-diff","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/squid-cache/squid/pull/445","name":"https://github.com/squid-cache/squid/pull/445","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"RFC 7230: server MUST reject messages with BWS after field-name by yadij · Pull Request #445 · squid-cache/squid · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.suse.com/show_bug.cgi?id=1156323","name":"https://bugzilla.suse.com/show_bug.cgi?id=1156323","refsource":"CONFIRM","tags":["Issue Tracking","Third Party Advisory"],"title":"Bug 1156323 – VUL-0: CVE-2019-18678: squid,squid3: incorrect message parsing leads to HTTP request splitting issue","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://usn.ubuntu.com/4213-1/","name":"USN-4213-1","refsource":"UBUNTU","tags":["Third Party Advisory"],"title":"USN-4213-1: Squid vulnerabilities | Ubuntu security notices | Ubuntu","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/","name":"FEDORA-2019-9538783033","refsource":"","tags":[],"title":"[SECURITY] Fedora 31 Update: squid-4.9-2.fc31 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html","name":"[debian-lts-announce] 20191210 [SECURITY] [DLA 2028-1] squid3 security update","refsource":"MLIST","tags":["Third Party Advisory"],"title":"[SECURITY] [DLA 2028-1] squid3 security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/","name":"FEDORA-2019-9538783033","refsource":"FEDORA","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] Fedora 31 Update: squid-4.9-2.fc31 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2020/dsa-4682","name":"DSA-4682","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-4682-1 squid","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/","name":"FEDORA-2019-0b16cbdd0e","refsource":"","tags":[],"title":"[SECURITY] Fedora 30 Update: squid-4.9-2.fc30 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.squid-cache.org/Advisories/SQUID-2019_10.txt","name":"http://www.squid-cache.org/Advisories/SQUID-2019_10.txt","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"","mime":"text/plain","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-18678","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-18678","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"18678","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"16.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"18678","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"18.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"18678","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"19.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"18678","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"19.10","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"18678","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"16.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"18678","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"18.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"18678","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"19.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"18678","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"19.10","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"18678","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"18678","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"18678","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"30","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"18678","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"31","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"18678","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"30","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"18678","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"31","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"18678","vulnerable":"1","versionEndIncluding":"3.5.28","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"squid-cache","cpe5":"squid","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"18678","vulnerable":"1","versionEndIncluding":"4.8","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"squid-cache","cpe5":"squid","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2019-18678","qid":"159658","title":"Oracle Enterprise Linux Security Update for squid:4 (ELSA-2020-4743)"},{"cve":"CVE-2019-18678","qid":"296075","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 21.69.0 Missing (CPUAPR2020)"},{"cve":"CVE-2019-18678","qid":"356277","title":"Amazon Linux Security Advisory for squid : ALASSQUID4-2023-007"},{"cve":"CVE-2019-18678","qid":"356430","title":"Amazon Linux Security Advisory for squid : ALAS2-2023-2318"},{"cve":"CVE-2019-18678","qid":"377360","title":"Alibaba Cloud Linux Security Update for squid:4 (ALINUX3-SA-2022:0124)"},{"cve":"CVE-2019-18678","qid":"940034","title":"AlmaLinux Security Update for squid:4 (ALSA-2020:4743)"},{"cve":"CVE-2019-18678","qid":"960867","title":"Rocky Linux Security Update for squid:4 (RLSA-2020:4743)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2019-18678","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in Squid 3.x and 4.x through 4.8. It allows attackers to smuggle HTTP requests through frontend software to a Squid instance that splits the HTTP Request pipeline differently. The resulting Response messages corrupt caches (between a client and Squid) with attacker-controlled content at arbitrary URLs. Effects are isolated to software between the attacker client and Squid. There are no effects on Squid itself, nor on any upstream servers. The issue is related to a request header containing whitespace between a header name and a colon."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://github.com/squid-cache/squid/pull/445","refsource":"MISC","name":"https://github.com/squid-cache/squid/pull/445"},{"refsource":"CONFIRM","name":"https://bugzilla.suse.com/show_bug.cgi?id=1156323","url":"https://bugzilla.suse.com/show_bug.cgi?id=1156323"},{"refsource":"CONFIRM","name":"http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch","url":"http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch"},{"refsource":"CONFIRM","name":"http://www.squid-cache.org/Advisories/SQUID-2019_10.txt","url":"http://www.squid-cache.org/Advisories/SQUID-2019_10.txt"},{"refsource":"UBUNTU","name":"USN-4213-1","url":"https://usn.ubuntu.com/4213-1/"},{"refsource":"FEDORA","name":"FEDORA-2019-0b16cbdd0e","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/"},{"refsource":"FEDORA","name":"FEDORA-2019-9538783033","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/"},{"refsource":"MLIST","name":"[debian-lts-announce] 20191210 [SECURITY] [DLA 2028-1] squid3 security update","url":"https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html"},{"refsource":"GENTOO","name":"GLSA-202003-34","url":"https://security.gentoo.org/glsa/202003-34"},{"refsource":"DEBIAN","name":"DSA-4682","url":"https://www.debian.org/security/2020/dsa-4682"},{"refsource":"MLIST","name":"[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update","url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html"}]}},"nvd":{"publishedDate":"2019-11-26 17:15:00","lastModifiedDate":"2023-11-07 03:06:00","problem_types":["CWE-444"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndIncluding":"3.5.28","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0","versionEndIncluding":"4.8","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"18678","Ordinal":"159154","Title":"CVE-2019-18678","CVE":"CVE-2019-18678","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"18678","Ordinal":"1","NoteData":"An issue was discovered in Squid 3.x and 4.x through 4.8. It allows attackers to smuggle HTTP requests through frontend software to a Squid instance that splits the HTTP Request pipeline differently. The resulting Response messages corrupt caches (between a client and Squid) with attacker-controlled content at arbitrary URLs. Effects are isolated to software between the attacker client and Squid. There are no effects on Squid itself, nor on any upstream servers. The issue is related to a request header containing whitespace between a header name and a colon.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"18678","Ordinal":"2","NoteData":"2019-11-26","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"18678","Ordinal":"3","NoteData":"2020-07-10","Type":"Other","Title":"Modified"}]}}}