CVE-2016-10002

MEDIUM

Description

Incorrect processing of responses to If-None-Modified HTTP conditional requests in Squid HTTP Proxy 3.1.10 through 3.1.23, 3.2.0.3 through 3.5.22, and 4.0.1 through 4.0.16 leads to client-specific Cookie data being leaked to other clients. Attack requests can easily be crafted by a client to probe a cache for this information.

References

http://rhn.redhat.com/errata/RHSA-2017-0182.html

http://rhn.redhat.com/errata/RHSA-2017-0183.html

http://www.debian.org/security/2016/dsa-3745

http://www.openwall.com/lists/oss-security/2016/12/18/1

http://www.securityfocus.com/bid/94953

http://www.securitytracker.com/id/1037513

http://www.squid-cache.org/Advisories/SQUID-2016_11.txt

Details

Source: MITRE

Published: 2017-01-27

Updated: 2018-01-05

Type: CWE-200

Risk Information

CVSS v2.0

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3.0

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:squid-cache:squid:3.1.10:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.1.11:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.1.12:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.1.14:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.1.15:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.1.16:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.1.17:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.1.18:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.1.19:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.1.20:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.1.21:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.1.22:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.1.23:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:squid-cache:squid:3.2.0.3:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.4:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.5:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.6:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.7:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.8:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.9:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.10:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.11:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.12:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.13:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.14:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.15:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.16:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.17:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.18:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.0.19:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.1:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.2:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.3:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.4:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.5:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.6:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.7:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.8:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.9:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.10:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.11:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.12:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.13:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.2.14:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:a:squid-cache:squid:3.3.0.1:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.0.2:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.0.3:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.1:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.2:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.3:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.4:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.5:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.6:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.7:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.8:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.9:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.10:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.11:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.12:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.13:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.3.14:*:*:*:*:*:*:*

Configuration 5

OR

cpe:2.3:a:squid-cache:squid:3.4.0.1:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.0.2:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.0.3:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.0.4:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.1:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.2:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.3:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.4:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.5:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.6:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.7:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.8:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.9:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.10:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.11:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.12:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.13:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.4.14:*:*:*:*:*:*:*

Configuration 6

OR

cpe:2.3:a:squid-cache:squid:3.5.0.1:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.0.2:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.0.3:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.0.4:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.1:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.2:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.3:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.4:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.5:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.6:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.7:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.8:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.9:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.10:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.11:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.12:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.13:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.14:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.15:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.16:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.17:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.18:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.19:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.20:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.21:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:3.5.22:*:*:*:*:*:*:*

Configuration 7

OR

cpe:2.3:a:squid-cache:squid:4.0.1:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.2:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.3:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.4:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.5:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.6:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.7:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.8:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.9:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.10:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.11:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.12:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.13:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.14:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.15:*:*:*:*:*:*:*

cpe:2.3:a:squid-cache:squid:4.0.16:*:*:*:*:*:*:*

Tenable Plugins

View all (24 total)

ID	Name	Product	Family	Severity
119721	Squid 3.1 < 3.x < 3.5.23 / 4.x < 4.0.17 Information Disclosure Vulnerability (SQUID-2016:11)	Nessus	Firewalls	medium
101414	Virtuozzo 6 : squid34 (VZLSA-2017-0183)	Nessus	Virtuozzo Local Security Checks	medium
101413	Virtuozzo 7 : squid / squid-migration-script / squid-sysvinit (VZLSA-2017-0182)	Nessus	Virtuozzo Local Security Checks	medium
99864	EulerOS 2.0 SP2 : squid (EulerOS-SA-2017-1018)	Nessus	Huawei Local Security Checks	medium
99863	EulerOS 2.0 SP1 : squid (EulerOS-SA-2017-1017)	Nessus	Huawei Local Security Checks	medium
97049	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : squid3 vulnerabilities (USN-3192-1)	Nessus	Ubuntu Local Security Checks	medium
96811	CentOS 6 : squid34 (CESA-2017:0183)	Nessus	CentOS Local Security Checks	medium
96810	CentOS 7 : squid (CESA-2017:0182)	Nessus	CentOS Local Security Checks	medium
96760	Scientific Linux Security Update : squid on SL7.x x86_64 (20170124)	Nessus	Scientific Linux Local Security Checks	medium
96759	Scientific Linux Security Update : squid34 on SL6.x i386/x86_64 (20170124)	Nessus	Scientific Linux Local Security Checks	medium
96755	RHEL 6 : squid34 (RHSA-2017:0183)	Nessus	Red Hat Local Security Checks	medium
96754	RHEL 7 : squid (RHSA-2017:0182)	Nessus	Red Hat Local Security Checks	medium
96752	Oracle Linux 6 : squid34 (ELSA-2017-0183)	Nessus	Oracle Linux Local Security Checks	medium
96751	Oracle Linux 7 : squid (ELSA-2017-0182)	Nessus	Oracle Linux Local Security Checks	medium
96670	Fedora 25 : 7:squid (2016-c614315d29)	Nessus	Fedora Local Security Checks	medium
96648	openSUSE Security Update : squid (openSUSE-2017-127)	Nessus	SuSE Local Security Checks	medium
96622	openSUSE Security Update : squid (openSUSE-2017-115)	Nessus	SuSE Local Security Checks	medium
96530	SUSE SLES12 Security Update : squid (SUSE-SU-2017:0128-1)	Nessus	SuSE Local Security Checks	medium
96482	SUSE SLES12 Security Update : squid (SUSE-SU-2017:0116-1)	Nessus	SuSE Local Security Checks	medium
96432	SUSE SLES11 Security Update : squid3 (SUSE-SU-2017:0110-1)	Nessus	SuSE Local Security Checks	medium
9858	Squid 3.5.x < 3.5.23 / 4.0.x < 4.0.17 Multiple Information Disclosure	Nessus Network Monitor	Web Servers	medium
96117	FreeBSD : squid -- multiple vulnerabilities (41f8af15-c8b9-11e6-ae1b-002590263bf5)	Nessus	FreeBSD Local Security Checks	medium
96102	Debian DSA-3745-1 : squid3 - security update	Nessus	Debian Local Security Checks	medium
96098	Debian DLA-763-1 : squid3 security update	Nessus	Debian Local Security Checks	medium