{"id":"CVE-2022-41317","details":"An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7.","modified":"2026-03-15T21:45:01.881914Z","published":"2022-12-25T19:15:10.767Z","related":["GHSA-rcg9-7fqm-83mq","MGASA-2022-0351","SUSE-SU-2022:3531-1","SUSE-SU-2022:3532-1","SUSE-SU-2022:3533-1","SUSE-SU-2022:3596-1","openSUSE-SU-2024:12364-1"],"references":[{"type":"FIX","url":"http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_1.patch"},{"type":"FIX","url":"https://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq"},{"type":"FIX","url":"https://www.openwall.com/lists/oss-security/2022/09/23/1"},{"type":"FIX","url":"http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_1.patch"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/squid-cache/squid","events":[{"introduced":"69be6ba1bcc88ff9b75b526e936a4bae23f05bea"},{"last_affected":"874e8b4ca0342a1c399ddadc1cf6998590fa46a6"},{"introduced":"1521895e24671463bf590cabcdbd2acf637ed2c1"},{"fixed":"5bb2694408e7a42897e9efe775361579d8864de8"}],"database_specific":{"versions":[{"introduced":"4.9"},{"last_affected":"4.17"},{"introduced":"5.0.6"},{"fixed":"5.7"}]}}],"versions":["SQUID_4_10","SQUID_4_11","SQUID_4_12","SQUID_4_13","SQUID_4_14","SQUID_4_15","SQUID_4_16","SQUID_4_17","SQUID_4_9"],"database_specific":{"vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["157750309172091702582925428005493227867","218881333121098214655110636846154953560","206051021408544867493777671469714873892","70933281598196939590700626067890505816","237286626667678540720639229716632419352","12908433598266290249320675408114387116","185234433191157783139533113985827305669","91207162898924998580933656119642315529","12830155845411348948611201853498301870","98043717554064422388750680731084828886"]},"deprecated":false,"signature_type":"Line","target":{"file":"src/ssl/support.cc"},"source":"https://github.com/squid-cache/squid/commit/5bb2694408e7a42897e9efe775361579d8864de8","id":"CVE-2022-41317-0a2a77c1","signature_version":"v1"},{"digest":{"length":2417,"function_hash":"188390915243848524858308343346591833357"},"deprecated":false,"signature_type":"Function","target":{"function":"Ssl::Initialize","file":"src/ssl/support.cc"},"source":"https://github.com/squid-cache/squid/commit/5bb2694408e7a42897e9efe775361579d8864de8","id":"CVE-2022-41317-1f50be07","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["284090572366065137028192422215588986250","19951007384723126726267253642941680731","156669495693973190387507273863492603738","301758475509959629984069537199932148530","97161342785240974768606456605877618890","169523640118712761496248132354948595410","167510253363874404944685795350416904550","135929239310644637345597208847357782135"]},"deprecated":false,"signature_type":"Line","target":{"file":"src/security/ServerOptions.cc"},"source":"https://github.com/squid-cache/squid/commit/5bb2694408e7a42897e9efe775361579d8864de8","id":"CVE-2022-41317-f2e2486f","signature_version":"v1"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41317.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}