{
  "threat_severity" : "Moderate",
  "public_date" : "2018-10-31T00:00:00Z",
  "bugzilla" : {
    "description" : "squid: Cross-Site Scripting when generating HTTPS response messages about TLS errors",
    "id" : "1645146",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1645146"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.6",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-79",
  "details" : [ "Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S) error page generation for certificate errors.", "A Cross-Site Scripting vulnerability has been discovered in squid in the way X.509 certificates fields are displayed in some error pages. An attacker who can control the certificate of the origin content server may use this flaw to inject scripting code in the squid generated page, which is executed on the client's browser." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "squid",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Will not fix",
    "package_name" : "squid",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Will not fix",
    "package_name" : "squid34",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "squid",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "squid",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-19131\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-19131\nhttp://www.squid-cache.org/Advisories/SQUID-2018_4.txt" ],
  "name" : "CVE-2018-19131",
  "mitigation" : {
    "value" : "Remove %D error page macro from ERR_SECURE_CONNECT_FAIL pages found under /usr/share/squid/errors/ and any custom error pages.",
    "lang" : "en:us"
  },
  "csaw" : false
}