Attacker Value
Very Low
(1 user assessed)
Exploitability
Very Low
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
0

CVE-2018-19131

Disclosure Date: November 09, 2018
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S) error page generation for certificate errors.

Add Assessment

3
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Very Low
Technical Analysis

Bottom line: The commonName property of the certificate that signs the “failed to connect securely” error page within Squid gets rendered as HTML on the client/victim side.

In order to successfully exploit this XSS one would need to write a malicious .pem file in the location specified by squid.conf or modify squid.conf to point to an existing malicious .pem file.

If I had root level access to the filesystem on a squid box, serving a XSS from the error page would not be as useful as any number of other things that could be done. Similarly story if you MITM the victim.

PoC @ https://github.com/JonathanWilbur/CVE-2018-19131

CVSS V3 Severity and Metrics
Base Score:
6.1 Medium
Impact Score:
2.7
Exploitability Score:
2.8
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Changed
Confidentiality (C):
Low
Integrity (I):
Low
Availability (A):
None

General Information

Vendors

  • squid-cache

Products

  • squid

Additional Info

Technical Analysis