{
  "threat_severity" : "Moderate",
  "public_date" : "2016-05-06T00:00:00Z",
  "bugzilla" : {
    "description" : "squid: Cache poisoning issue in HTTP Request handling",
    "id" : "1334233",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1334233"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:N/I:P/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-20",
  "details" : [ "client_side.cc in Squid before 3.5.18 and 4.x before 4.0.10 does not properly ignore the Host header when absolute-URI is provided, which allows remote attackers to conduct cache-poisoning attacks via an HTTP request.", "An input validation flaw was found in the way Squid handled intercepted HTTP Request messages. An attacker could use this flaw to bypass the protection against issues related to CVE-2009-0801, and perform cache poisoning attacks on Squid." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2016-05-31T00:00:00Z",
    "advisory" : "RHSA-2016:1140",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "squid34-7:3.4.14-9.el6_8.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2016-05-31T00:00:00Z",
    "advisory" : "RHSA-2016:1139",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "squid-7:3.3.8-26.el7_2.3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "squid",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "squid",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-4553\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-4553\nhttp://www.squid-cache.org/Advisories/SQUID-2016_7.txt" ],
  "name" : "CVE-2016-4553",
  "csaw" : false
}