CVE-2012-2213
The MITRE CVE dictionary describes this issue as:
** DISPUTED ** Squid 3.1.9 allows remote attackers to bypass the access configuration for the CONNECT method by providing an arbitrary allowed hostname in the Host HTTP header. NOTE: this issue might not be reproducible, because the researcher is unable to provide a squid.conf file for a vulnerable system, and the observed behavior is consistent with a squid.conf file that was (perhaps inadvertently) designed to allow access based on a "req_header Host" acl regex that matches www.uol.com.br.
Find out more about CVE-2012-2213 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
We do not currently plan to fix this issue due to the lack of further information about the flaw and its impact. If more information becomes available at a future date, we may revisit the issue.
CVSS v2 metrics
NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.
| Base Score | 6.4 |
|---|---|
| Base Metrics | AV:N/AC:L/Au:N/C:P/I:P/A:N |
| Access Vector | Network |
| Access Complexity | Low |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 6 | squid | Will not fix |
| Red Hat Enterprise Linux 5 | squid | Will not fix |
CVE description copyright © 2017, The MITRE Corporation