Squid 3.1.9 allows remote attackers to bypass the access configuration for the CONNECT method by providing an arbitrary allowed hostname in the Host HTTP header. NOTE: this issue might not be reproducible, because the researcher is unable to provide a squid.conf file for a vulnerable system, and the observed behavior is consistent with a squid.conf file that was (perhaps inadvertently) designed to allow access based on a "req_header Host" acl regex that matches www.uol.com.br
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2012-04-28T10:00:00Z

Updated: 2024-09-16T22:19:37.657Z

Reserved: 2012-04-06T00:00:00Z

Link: CVE-2012-2213

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2012-04-28T10:06:13.273

Modified: 2024-11-21T01:38:43.070

Link: CVE-2012-2213

cve-icon Redhat

Severity : Low

Publid Date: 2012-04-16T00:00:00Z

Links: CVE-2012-2213 - Bugzilla