CVE-2016-10002

MEDIUM

Description

Incorrect processing of responses to If-None-Modified HTTP conditional requests in Squid HTTP Proxy 3.1.10 through 3.1.23, 3.2.0.3 through 3.5.22, and 4.0.1 through 4.0.16 leads to client-specific Cookie data being leaked to other clients. Attack requests can easily be crafted by a client to probe a cache for this information.

References

http://rhn.redhat.com/errata/RHSA-2017-0182.html

http://rhn.redhat.com/errata/RHSA-2017-0183.html

http://www.debian.org/security/2016/dsa-3745

http://www.openwall.com/lists/oss-security/2016/12/18/1

http://www.securityfocus.com/bid/94953

http://www.securitytracker.com/id/1037513

http://www.squid-cache.org/Advisories/SQUID-2016_11.txt

Details

Source: MITRE

Published: 2017-01-27

Updated: 2018-01-05

Type: CWE-200

Risk Information

CVSS v2.0

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3.0

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:squid-cache:squid:3.1.10:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.1.11:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.1.12:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.1.14:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.1.15:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.1.16:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.1.17:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.1.18:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.1.19:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.1.20:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.1.21:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.1.22:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.1.23:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:squid-cache:squid:3.2.0.3:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.4:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.5:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.6:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.7:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.8:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.9:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.10:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.11:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.12:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.13:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.14:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.15:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.16:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.17:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.18:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.19:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.1:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.2:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.3:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.4:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.5:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.6:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.7:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.8:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.9:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.10:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.11:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.12:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.13:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.14:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:a:squid-cache:squid:3.3.0.1:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.0.2:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.0.3:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.1:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.2:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.3:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.4:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.5:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.6:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.7:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.8:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.9:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.10:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.11:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.12:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.13:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.14:*:*:*:*:*:*:*

Configuration 5

OR

cpe:2.3:a:squid-cache:squid:3.4.0.1:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.0.2:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.0.3:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.0.4:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.1:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.2:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.3:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.4:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.5:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.6:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.7:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.8:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.9:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.10:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.11:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.12:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.13:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.14:*:*:*:*:*:*:*

Configuration 6

OR

cpe:2.3:a:squid-cache:squid:3.5.0.1:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.0.2:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.0.3:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.0.4:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.1:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.2:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.3:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.4:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.5:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.6:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.7:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.8:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.9:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.10:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.11:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.12:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.13:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.14:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.15:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.16:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.17:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.18:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.19:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.20:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.21:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.22:*:*:*:*:*:*:*

Configuration 7

OR

cpe:2.3:a:squid-cache:squid:4.0.1:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.2:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.3:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.4:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.5:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.6:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.7:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.8:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.9:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.10:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.11:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.12:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.13:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.14:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.15:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.16:*:*:*:*:*:*:*

Tenable Plugins

View all (24 total)

IDNameProductFamilySeverity
119721Squid 3.1 < 3.x < 3.5.23 / 4.x < 4.0.17 Information Disclosure Vulnerability (SQUID-2016:11)NessusFirewalls
medium
101414Virtuozzo 6 : squid34 (VZLSA-2017-0183)NessusVirtuozzo Local Security Checks
medium
101413Virtuozzo 7 : squid / squid-migration-script / squid-sysvinit (VZLSA-2017-0182)NessusVirtuozzo Local Security Checks
medium
99864EulerOS 2.0 SP2 : squid (EulerOS-SA-2017-1018)NessusHuawei Local Security Checks
medium
99863EulerOS 2.0 SP1 : squid (EulerOS-SA-2017-1017)NessusHuawei Local Security Checks
medium
97049Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : squid3 vulnerabilities (USN-3192-1)NessusUbuntu Local Security Checks
medium
96811CentOS 6 : squid34 (CESA-2017:0183)NessusCentOS Local Security Checks
medium
96810CentOS 7 : squid (CESA-2017:0182)NessusCentOS Local Security Checks
medium
96760Scientific Linux Security Update : squid on SL7.x x86_64 (20170124)NessusScientific Linux Local Security Checks
medium
96759Scientific Linux Security Update : squid34 on SL6.x i386/x86_64 (20170124)NessusScientific Linux Local Security Checks
medium
96755RHEL 6 : squid34 (RHSA-2017:0183)NessusRed Hat Local Security Checks
medium
96754RHEL 7 : squid (RHSA-2017:0182)NessusRed Hat Local Security Checks
medium
96752Oracle Linux 6 : squid34 (ELSA-2017-0183)NessusOracle Linux Local Security Checks
medium
96751Oracle Linux 7 : squid (ELSA-2017-0182)NessusOracle Linux Local Security Checks
medium
96670Fedora 25 : 7:squid (2016-c614315d29)NessusFedora Local Security Checks
medium
96648openSUSE Security Update : squid (openSUSE-2017-127)NessusSuSE Local Security Checks
medium
96622openSUSE Security Update : squid (openSUSE-2017-115)NessusSuSE Local Security Checks
medium
96530SUSE SLES12 Security Update : squid (SUSE-SU-2017:0128-1)NessusSuSE Local Security Checks
medium
96482SUSE SLES12 Security Update : squid (SUSE-SU-2017:0116-1)NessusSuSE Local Security Checks
medium
96432SUSE SLES11 Security Update : squid3 (SUSE-SU-2017:0110-1)NessusSuSE Local Security Checks
medium
9858Squid 3.5.x < 3.5.23 / 4.0.x < 4.0.17 Multiple Information DisclosureNessus Network MonitorWeb Servers
medium
96117FreeBSD : squid -- multiple vulnerabilities (41f8af15-c8b9-11e6-ae1b-002590263bf5)NessusFreeBSD Local Security Checks
medium
96102Debian DSA-3745-1 : squid3 - security updateNessusDebian Local Security Checks
medium
96098Debian DLA-763-1 : squid3 security updateNessusDebian Local Security Checks
medium