QID 356199

Date Published: 2023-09-28

QID 356199: Amazon Linux Security Advisory for squid : ALASSQUID4-2023-009

An issue was discovered in squid through 4.7 and 5.
When receiving a request, squid checks its cache to see if it can serve up a response.
It does this by making a md5 hash of the absolute url of the request.
If found, it servers the request.
The absolute url can include the decoded userinfo (username and password) for certain protocols.
This decoded info is prepended to the domain.
This allows an attacker to provide a username that has special characters to delimit the domain, and treat the rest of the url as a path or query string.
An attacker could first make a request to their domain using an encoded username, then when a request for the target domain comes in that decodes to the exact url, it will serve the attacker's html instead of the real html.
On squid servers that also act as reverse proxies, this allows an attacker to gain access to features that only reverse proxies can use, such as esi. (
( CVE-2019-12520) an issue was discovered in squid through 4.7.
When handling requests from users, squid checks its rules to see if the request should be denied.
Squid by default comes with rules to block access to the cache manager, which serves detailed server information meant for the maintainer.
This rule is implemented via url_regex.
The handler for url_regex rules url decodes an incoming request.
This allows an attacker to encode their url to bypass the url_regex check, and gain access to the blocked resource. (
( CVE-2019-12524) a flaw was found in squid.
A trusted client can directly access the cache manager information, bypassing the manager acl protection and resulting in information disclosure. (
( CVE-2022-41317)



Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.

  • CVSS V3 rated as Critical - 9.8 severity.
  • CVSS V2 rated as High - 7.5 severity.
    • Solution
    Please refer to Amazon advisory: ALASSQUID4-2023-009 for affected packages and patching details, or update with your package manager.
    Vendor References

    CVEs related to QID 356199

    CVE-2022-41317 | CVE-2019-12520 | CVE-2019-12524 |
    Software Advisories
    Advisory ID Software Component Link
    ALASSQUID4-2023-009 amazon linux 2 URL Logo alas.aws.amazon.com/AL2/ALASSQUID4-2023-009.html
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].