squid is vulnerable to authorization bypass. When handling a URN request, the corresponding HTTP request that is made does not go through the access checks, allowing an attacker to bypass access checks and gain access to restricted HTTP servers such as HTTP servers listening on localhost.
lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html
www.squid-cache.org/Advisories/SQUID-2019_8.txt
bugzilla.suse.com/show_bug.cgi?id=1156329
lists.debian.org/debian-lts-announce/2020/07/msg00009.html
lists.fedoraproject.org/archives/list/[email protected]/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/
lists.fedoraproject.org/archives/list/[email protected]/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/
usn.ubuntu.com/4213-1/
usn.ubuntu.com/4446-1/
www.debian.org/security/2020/dsa-4682