CVE-2016-10002 Squid Cache CVE debrief

Who should care

Operators of affected Squid proxy deployments, especially environments using shared caching for user-specific or authenticated content; also incident responders and downstream distributors tracking security updates for packaged Squid builds.

Technical summary

NVD describes incorrect processing of responses to HTTP conditional requests in Squid 3.1.10 through 3.1.23, 3.2.0.3 through 3.5.22, and 4.0.1 through 4.0.16. The result is disclosure of client-specific Cookie data to other clients. NVD classifies the weakness as CWE-200 and assigns CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network-reachable, low-complexity exposure with high confidentiality impact.

Defensive priority

High. The vulnerability directly exposes sensitive data through a network-reachable proxy path and has no required privileges or user interaction.

Recommended defensive actions

• Identify whether any deployed Squid instances fall within the affected version ranges listed by NVD.
• Apply the vendor and downstream package advisories referenced for remediation, including the Squid vendor advisory and distro security notices.
• Prioritize patching internet-facing or multi-user proxy environments that may cache authenticated or cookie-bearing responses.
• After remediation, review proxy caching behavior for sensitive sessions and confirm vulnerable versions are no longer in service.

Evidence notes

This debrief is based on the NVD CVE record and the referenced vendor/downstream advisories. The CVE was published on 2017-01-27T17:59:00.133Z and later modified on 2026-05-13T00:24:29.033Z; the modified timestamp is record-maintenance context, not the issue date. The supplied NVD metadata states the affected Squid version ranges, the cookie-data leakage impact, the CVSS 3.0 vector, and CWE-200. References include the Squid vendor advisory SQUID-2016_11.txt plus Debian and Red Hat security notices.

Official resources