{
  "threat_severity" : "Moderate",
  "public_date" : "2019-11-03T00:00:00Z",
  "bugzilla" : {
    "description" : "squid: Mishandled HTML in the host parameter to cachemgr.cgi results in insecure behaviour",
    "id" : "1817121",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1817121"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-20->CWE-79",
  "details" : [ "Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi.", "A flaw was found in squid. Squid, when certain web browsers are used, mishandles HTML in the host parameter to cachemgr.cgi which could result in squid behaving in unsecure way." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4743",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "squid:4-8030020200828070549.30b713e6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Under investigation",
    "package_name" : "squid",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "squid",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "squid",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "squid34",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "squid",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Under investigation",
    "package_name" : "squid",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-18860\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-18860\nhttps://github.com/squid-cache/squid/pull/504" ],
  "name" : "CVE-2019-18860",
  "mitigation" : {
    "value" : "The cachemgr.cgi script is not used by default. If you've set this up manually and are worried about this issue, remove it from your server.",
    "lang" : "en:us"
  },
  "csaw" : false
}