All the vulnerabilites related to squid-cache - squid
cve-2013-4123
Vulnerability from cvelistv5
Published
2013-09-16 19:00
Modified
2024-09-17 03:48
Severity ?
EPSS score ?
Summary
client_side_request.cc in Squid 3.2.x before 3.2.13 and 3.3.x before 3.3.8 allows remote attackers to cause a denial of service via a crafted port number in a HTTP Host header.
References
▼ | URL | Tags |
---|---|---|
http://secunia.com/advisories/54142 | third-party-advisory, x_refsource_SECUNIA | |
http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12591.patch | x_refsource_CONFIRM | |
http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11826.patch | x_refsource_CONFIRM | |
http://secunia.com/advisories/54834 | third-party-advisory, x_refsource_SECUNIA | |
http://www.squid-cache.org/Advisories/SQUID-2013_3.txt | x_refsource_CONFIRM | |
http://lists.opensuse.org/opensuse-updates/2013-09/msg00024.html | vendor-advisory, x_refsource_SUSE |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T16:30:50.014Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "54142", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/54142" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12591.patch" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11826.patch" }, { "name": "54834", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/54834" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2013_3.txt" }, { "name": "openSUSE-SU-2013:1435", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00024.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "client_side_request.cc in Squid 3.2.x before 3.2.13 and 3.3.x before 3.3.8 allows remote attackers to cause a denial of service via a crafted port number in a HTTP Host header." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2013-09-16T19:00:00Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "54142", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/54142" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12591.patch" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11826.patch" }, { "name": "54834", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/54834" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2013_3.txt" }, { "name": "openSUSE-SU-2013:1435", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00024.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "secalert@redhat.com", "ID": "CVE-2013-4123", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "client_side_request.cc in Squid 3.2.x before 3.2.13 and 3.3.x before 3.3.8 allows remote attackers to cause a denial of service via a crafted port number in a HTTP Host header." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "54142", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/54142" }, { "name": "http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12591.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12591.patch" }, { "name": "http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11826.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11826.patch" }, { "name": "54834", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/54834" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2013_3.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2013_3.txt" }, { "name": "openSUSE-SU-2013:1435", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00024.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-4123", "datePublished": "2013-09-16T19:00:00Z", "dateReserved": "2013-06-12T00:00:00Z", "dateUpdated": "2024-09-17T03:48:39.055Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-46728
Vulnerability from cvelistv5
Published
2023-11-06 17:13
Modified
2024-08-02 20:53
Severity ?
EPSS score ?
Summary
SQUID-2021:8 Denial of Service in Gopher gateway
References
Impacted products
▼ | Vendor | Product |
---|---|---|
squid-cache | squid |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T20:53:21.619Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-cg5h-v6vc-w33f", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-cg5h-v6vc-w33f" }, { "name": "https://github.com/squid-cache/squid/commit/6ea12e8fb590ac6959e9356a81aa3370576568c3", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/commit/6ea12e8fb590ac6959e9356a81aa3370576568c3" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20231214-0006/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "squid", "vendor": "squid-cache", "versions": [ { "status": "affected", "version": "\u003c 6.0.1" } ] } ], "descriptions": [ { "lang": "en", "value": "Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid\u0027s Gopher gateway. The gopher protocol is always available and enabled in Squid prior to Squid 6.0.1. Responses triggering this bug are possible to be received from any gopher server, even those without malicious intent. Gopher support has been removed in Squid version 6.0.1. Users are advised to upgrade. Users unable to upgrade should reject all gopher URL requests." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-476", "description": "CWE-476: NULL Pointer Dereference", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-11-06T17:13:45.821Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-cg5h-v6vc-w33f", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-cg5h-v6vc-w33f" }, { "name": "https://github.com/squid-cache/squid/commit/6ea12e8fb590ac6959e9356a81aa3370576568c3", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/commit/6ea12e8fb590ac6959e9356a81aa3370576568c3" }, { "url": "https://security.netapp.com/advisory/ntap-20231214-0006/" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/" } ], "source": { "advisory": "GHSA-cg5h-v6vc-w33f", "discovery": "UNKNOWN" }, "title": "SQUID-2021:8 Denial of Service in Gopher gateway" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-46728", "datePublished": "2023-11-06T17:13:45.821Z", "dateReserved": "2023-10-25T14:30:33.751Z", "dateUpdated": "2024-08-02T20:53:21.619Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2016-4554
Vulnerability from cvelistv5
Published
2016-05-10 19:00
Modified
2024-08-06 00:32
Severity ?
EPSS score ?
Summary
mime_header.cc in Squid before 3.5.18 allows remote attackers to bypass intended same-origin restrictions and possibly conduct cache-poisoning attacks via a crafted HTTP Host header, aka a "header smuggling" issue.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T00:32:25.859Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2016_8.patch" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_8.patch" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID-2016_8.patch" }, { "name": "USN-2995-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "name": "1035769", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1035769" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2016_8.patch" }, { "name": "RHSA-2016:1140", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2016:1140" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "RHSA-2016:1138", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2016:1138" }, { "name": "RHSA-2016:1139", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2016:1139" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_8.txt" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_8.patch" }, { "name": "DSA-3625", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2016/dsa-3625" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2016-05-06T00:00:00", "descriptions": [ { "lang": "en", "value": "mime_header.cc in Squid before 3.5.18 allows remote attackers to bypass intended same-origin restrictions and possibly conduct cache-poisoning attacks via a crafted HTTP Host header, aka a \"header smuggling\" issue." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2016-11-28T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2016_8.patch" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_8.patch" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID-2016_8.patch" }, { "name": "USN-2995-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "name": "1035769", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1035769" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2016_8.patch" }, { "name": "RHSA-2016:1140", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2016:1140" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "RHSA-2016:1138", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2016:1138" }, { "name": "RHSA-2016:1139", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2016:1139" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_8.txt" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_8.patch" }, { "name": "DSA-3625", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2016/dsa-3625" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-4554", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "mime_header.cc in Squid before 3.5.18 allows remote attackers to bypass intended same-origin restrictions and possibly conduct cache-poisoning attacks via a crafted HTTP Host header, aka a \"header smuggling\" issue." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "GLSA-201607-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201607-01" }, { "name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "name": "http://www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2016_8.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2016_8.patch" }, { "name": "http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_8.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_8.patch" }, { "name": "SUSE-SU-2016:1996", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID-2016_8.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID-2016_8.patch" }, { "name": "USN-2995-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "name": "1035769", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1035769" }, { "name": "http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2016_8.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2016_8.patch" }, { "name": "RHSA-2016:1140", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:1140" }, { "name": "openSUSE-SU-2016:2081", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "RHSA-2016:1138", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:1138" }, { "name": "RHSA-2016:1139", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:1139" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2016_8.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2016_8.txt" }, { "name": "SUSE-SU-2016:2089", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_8.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_8.patch" }, { "name": "DSA-3625", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3625" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-4554", "datePublished": "2016-05-10T19:00:00", "dateReserved": "2016-05-06T00:00:00", "dateUpdated": "2024-08-06T00:32:25.859Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-12524
Vulnerability from cvelistv5
Published
2020-04-15 18:35
Modified
2024-08-04 23:24
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the maintainer. This rule is implemented via url_regex. The handler for url_regex rules URL decodes an incoming request. This allows an attacker to encode their URL to bypass the url_regex check, and gain access to the blocked resource.
References
▼ | URL | Tags |
---|---|---|
https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12524.txt | x_refsource_MISC | |
https://www.debian.org/security/2020/dsa-4682 | vendor-advisory, x_refsource_DEBIAN | |
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html | mailing-list, x_refsource_MLIST | |
https://usn.ubuntu.com/4446-1/ | vendor-advisory, x_refsource_UBUNTU | |
https://security.netapp.com/advisory/ntap-20210205-0006/ | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:24:38.617Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12524.txt" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "name": "USN-4446-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4446-1/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210205-0006/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the maintainer. This rule is implemented via url_regex. The handler for url_regex rules URL decodes an incoming request. This allows an attacker to encode their URL to bypass the url_regex check, and gain access to the blocked resource." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-02-05T11:06:15", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12524.txt" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "name": "USN-4446-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4446-1/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210205-0006/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-12524", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the maintainer. This rule is implemented via url_regex. The handler for url_regex rules URL decodes an incoming request. This allows an attacker to encode their URL to bypass the url_regex check, and gain access to the blocked resource." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12524.txt", "refsource": "MISC", "url": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12524.txt" }, { "name": "DSA-4682", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "name": "USN-4446-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4446-1/" }, { "name": "https://security.netapp.com/advisory/ntap-20210205-0006/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210205-0006/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-12524", "datePublished": "2020-04-15T18:35:11", "dateReserved": "2019-06-02T00:00:00", "dateUpdated": "2024-08-04T23:24:38.617Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2009-2621
Vulnerability from cvelistv5
Published
2009-07-28 17:00
Modified
2024-08-07 05:59
Severity ?
EPSS score ?
Summary
Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 does not properly enforce "buffer limits and related bound checks," which allows remote attackers to cause a denial of service via (1) an incomplete request or (2) a request with a large header size, related to (a) HttpMsg.cc and (b) client_side.cc.
References
▼ | URL | Tags |
---|---|---|
http://www.squid-cache.org/Versions/v3/3.1/changesets/b9654.patch | x_refsource_CONFIRM | |
http://www.securitytracker.com/id?1022607 | vdb-entry, x_refsource_SECTRACK | |
http://www.securityfocus.com/bid/35812 | vdb-entry, x_refsource_BID | |
http://www.vupen.com/english/advisories/2009/2013 | vdb-entry, x_refsource_VUPEN | |
http://secunia.com/advisories/36007 | third-party-advisory, x_refsource_SECUNIA | |
http://www.squid-cache.org/Advisories/SQUID-2009_2.txt | x_refsource_CONFIRM | |
http://www.mandriva.com/security/advisories?name=MDVSA-2009:161 | vendor-advisory, x_refsource_MANDRIVA | |
http://www.mandriva.com/security/advisories?name=MDVSA-2009:178 | vendor-advisory, x_refsource_MANDRIVA |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-07T05:59:55.743Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/b9654.patch" }, { "name": "1022607", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id?1022607" }, { "name": "35812", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/35812" }, { "name": "ADV-2009-2013", "tags": [ "vdb-entry", "x_refsource_VUPEN", "x_transferred" ], "url": "http://www.vupen.com/english/advisories/2009/2013" }, { "name": "36007", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/36007" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2009_2.txt" }, { "name": "MDVSA-2009:161", "tags": [ "vendor-advisory", "x_refsource_MANDRIVA", "x_transferred" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:161" }, { "name": "MDVSA-2009:178", "tags": [ "vendor-advisory", "x_refsource_MANDRIVA", "x_transferred" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:178" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2009-07-27T00:00:00", "descriptions": [ { "lang": "en", "value": "Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 does not properly enforce \"buffer limits and related bound checks,\" which allows remote attackers to cause a denial of service via (1) an incomplete request or (2) a request with a large header size, related to (a) HttpMsg.cc and (b) client_side.cc." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2009-08-07T09:00:00", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/b9654.patch" }, { "name": "1022607", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id?1022607" }, { "name": "35812", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/35812" }, { "name": "ADV-2009-2013", "tags": [ "vdb-entry", "x_refsource_VUPEN" ], "url": "http://www.vupen.com/english/advisories/2009/2013" }, { "name": "36007", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/36007" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2009_2.txt" }, { "name": "MDVSA-2009:161", "tags": [ "vendor-advisory", "x_refsource_MANDRIVA" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:161" }, { "name": "MDVSA-2009:178", "tags": [ "vendor-advisory", "x_refsource_MANDRIVA" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:178" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cert@cert.org", "ID": "CVE-2009-2621", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 does not properly enforce \"buffer limits and related bound checks,\" which allows remote attackers to cause a denial of service via (1) an incomplete request or (2) a request with a large header size, related to (a) HttpMsg.cc and (b) client_side.cc." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Versions/v3/3.1/changesets/b9654.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/b9654.patch" }, { "name": "1022607", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1022607" }, { "name": "35812", "refsource": "BID", "url": "http://www.securityfocus.com/bid/35812" }, { "name": "ADV-2009-2013", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2009/2013" }, { "name": "36007", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/36007" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2009_2.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2009_2.txt" }, { "name": "MDVSA-2009:161", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:161" }, { "name": "MDVSA-2009:178", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:178" } ] } } } }, "cveMetadata": { "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2009-2621", "datePublished": "2009-07-28T17:00:00", "dateReserved": "2009-07-28T00:00:00", "dateUpdated": "2024-08-07T05:59:55.743Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-14058
Vulnerability from cvelistv5
Published
2020-06-30 18:30
Modified
2024-08-04 12:32
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid before 4.12 and 5.x before 5.0.3. Due to use of a potentially dangerous function, Squid and the default certificate validation helper are vulnerable to a Denial of Service when opening a TLS connection to an attacker-controlled server for HTTPS. This occurs because unrecognized error values are mapped to NULL, but later code expects that each error value is mapped to a valid error string.
References
▼ | URL | Tags |
---|---|---|
http://www.squid-cache.org/Versions/v5/changesets/squid-5-c6d1a4f6a2cbebceebc8a3fcd8f539ceb7b7f723.patch | x_refsource_MISC | |
http://www.squid-cache.org/Versions/v4/changesets/squid-4-93f5fda134a2a010b84ffedbe833d670e63ba4be.patch | x_refsource_MISC | |
http://www.squid-cache.org/Advisories/SQUID-2020_6.txt | x_refsource_CONFIRM | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/ | vendor-advisory, x_refsource_FEDORA | |
https://security.netapp.com/advisory/ntap-20210312-0001/ | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T12:32:14.692Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-c6d1a4f6a2cbebceebc8a3fcd8f539ceb7b7f723.patch" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-93f5fda134a2a010b84ffedbe833d670e63ba4be.patch" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2020_6.txt" }, { "name": "FEDORA-2020-cbebc5617e", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210312-0001/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2020-06-19T00:00:00", "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid before 4.12 and 5.x before 5.0.3. Due to use of a potentially dangerous function, Squid and the default certificate validation helper are vulnerable to a Denial of Service when opening a TLS connection to an attacker-controlled server for HTTPS. This occurs because unrecognized error values are mapped to NULL, but later code expects that each error value is mapped to a valid error string." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-03-12T12:06:31", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-c6d1a4f6a2cbebceebc8a3fcd8f539ceb7b7f723.patch" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-93f5fda134a2a010b84ffedbe833d670e63ba4be.patch" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2020_6.txt" }, { "name": "FEDORA-2020-cbebc5617e", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210312-0001/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-14058", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid before 4.12 and 5.x before 5.0.3. Due to use of a potentially dangerous function, Squid and the default certificate validation helper are vulnerable to a Denial of Service when opening a TLS connection to an attacker-controlled server for HTTPS. This occurs because unrecognized error values are mapped to NULL, but later code expects that each error value is mapped to a valid error string." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-c6d1a4f6a2cbebceebc8a3fcd8f539ceb7b7f723.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-c6d1a4f6a2cbebceebc8a3fcd8f539ceb7b7f723.patch" }, { "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-93f5fda134a2a010b84ffedbe833d670e63ba4be.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-93f5fda134a2a010b84ffedbe833d670e63ba4be.patch" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2020_6.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2020_6.txt" }, { "name": "FEDORA-2020-cbebc5617e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/" }, { "name": "https://security.netapp.com/advisory/ntap-20210312-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210312-0001/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-14058", "datePublished": "2020-06-30T18:30:56", "dateReserved": "2020-06-13T00:00:00", "dateUpdated": "2024-08-04T12:32:14.692Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-12528
Vulnerability from cvelistv5
Published
2020-02-04 20:07
Modified
2024-08-04 23:24
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid before 4.10. It allows a crafted FTP server to trigger disclosure of sensitive information from heap memory, such as information associated with other users' sessions or non-Squid processes.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:24:38.601Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2020_2.txt" }, { "name": "USN-4289-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4289-1/" }, { "name": "openSUSE-SU-2020:0307", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00012.html" }, { "name": "GLSA-202003-34", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202003-34" }, { "name": "FEDORA-2020-ab8e7463ab", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G6W2IQ7QV2OGREFFUBNVZIDD3RJBDE4R/" }, { "name": "FEDORA-2020-790296a8f4", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TSU6SPANL27AGK5PCGBJOKG4LUWA555J/" }, { "name": "openSUSE-SU-2020:0606", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00010.html" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "openSUSE-SU-2020:0623", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid before 4.10. It allows a crafted FTP server to trigger disclosure of sensitive information from heap memory, such as information associated with other users\u0027 sessions or non-Squid processes." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-07-10T23:06:17", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2020_2.txt" }, { "name": "USN-4289-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4289-1/" }, { "name": "openSUSE-SU-2020:0307", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00012.html" }, { "name": "GLSA-202003-34", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202003-34" }, { "name": "FEDORA-2020-ab8e7463ab", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G6W2IQ7QV2OGREFFUBNVZIDD3RJBDE4R/" }, { "name": "FEDORA-2020-790296a8f4", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TSU6SPANL27AGK5PCGBJOKG4LUWA555J/" }, { "name": "openSUSE-SU-2020:0606", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00010.html" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "openSUSE-SU-2020:0623", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-12528", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid before 4.10. It allows a crafted FTP server to trigger disclosure of sensitive information from heap memory, such as information associated with other users\u0027 sessions or non-Squid processes." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Advisories/SQUID-2020_2.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2020_2.txt" }, { "name": "USN-4289-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4289-1/" }, { "name": "openSUSE-SU-2020:0307", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00012.html" }, { "name": "GLSA-202003-34", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-34" }, { "name": "FEDORA-2020-ab8e7463ab", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G6W2IQ7QV2OGREFFUBNVZIDD3RJBDE4R/" }, { "name": "FEDORA-2020-790296a8f4", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TSU6SPANL27AGK5PCGBJOKG4LUWA555J/" }, { "name": "openSUSE-SU-2020:0606", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00010.html" }, { "name": "DSA-4682", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "openSUSE-SU-2020:0623", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-12528", "datePublished": "2020-02-04T20:07:15", "dateReserved": "2019-06-02T00:00:00", "dateUpdated": "2024-08-04T23:24:38.601Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2018-19131
Vulnerability from cvelistv5
Published
2018-11-09 11:00
Modified
2024-09-16 18:33
Severity ?
EPSS score ?
Summary
Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S) error page generation for certificate errors.
References
▼ | URL | Tags |
---|---|---|
http://www.squid-cache.org/Versions/v5/changesets/squid-5-6feeb15ff312f3e145763adf8d234ed6a0b3f11d.patch | x_refsource_MISC | |
http://www.squid-cache.org/Advisories/SQUID-2018_4.txt | x_refsource_MISC | |
https://github.com/squid-cache/squid/pull/306 | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T11:30:04.024Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-6feeb15ff312f3e145763adf8d234ed6a0b3f11d.patch" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2018_4.txt" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/pull/306" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S) error page generation for certificate errors." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-11-09T11:00:00Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-6feeb15ff312f3e145763adf8d234ed6a0b3f11d.patch" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2018_4.txt" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/pull/306" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-19131", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S) error page generation for certificate errors." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-6feeb15ff312f3e145763adf8d234ed6a0b3f11d.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-6feeb15ff312f3e145763adf8d234ed6a0b3f11d.patch" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2018_4.txt", "refsource": "MISC", "url": "http://www.squid-cache.org/Advisories/SQUID-2018_4.txt" }, { "name": "https://github.com/squid-cache/squid/pull/306", "refsource": "MISC", "url": "https://github.com/squid-cache/squid/pull/306" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-19131", "datePublished": "2018-11-09T11:00:00Z", "dateReserved": "2018-11-09T00:00:00Z", "dateUpdated": "2024-09-16T18:33:29.179Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-25617
Vulnerability from cvelistv5
Published
2024-02-14 20:55
Modified
2024-08-16 18:06
Severity ?
EPSS score ?
Summary
Denial of Service in HTTP Header parser in squid proxy
References
Impacted products
▼ | Vendor | Product |
---|---|---|
squid-cache | squid |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-01T23:44:09.683Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-h5x6-w8mv-xfpr", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-h5x6-w8mv-xfpr" }, { "name": "https://github.com/squid-cache/squid/commit/72a3bbd5e431597c3fdb56d752bc56b010ba3817", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/commit/72a3bbd5e431597c3fdb56d752bc56b010ba3817" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20240322-0006/" } ], "title": "CVE Program Container" }, { "affected": [ { "cpes": [ "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "squid", "vendor": "squid-cache", "versions": [ { "lessThan": "6.5", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-25617", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-08-16T18:04:53.172761Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-16T18:06:08.382Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "squid", "vendor": "squid-cache", "versions": [ { "status": "affected", "version": "\u003c 6.5" } ] } ], "descriptions": [ { "lang": "en", "value": "Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid may be vulnerable to a Denial of Service attack against HTTP header parsing. This problem allows a remote client or a remote server to perform Denial of Service when sending oversized headers in HTTP messages. In versions of Squid prior to 6.5 this can be achieved if the request_header_max_size or reply_header_max_size settings are unchanged from the default. In Squid version 6.5 and later, the default setting of these parameters is safe. Squid will emit a critical warning in cache.log if the administrator is setting these parameters to unsafe values. Squid will not at this time prevent these settings from being changed to unsafe values. Users are advised to upgrade to version 6.5. There are no known workarounds for this vulnerability. This issue is also tracked as SQUID-2024:2 " } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-182", "description": "CWE-182: Collapse of Data into Unsafe Value", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-02-14T20:55:52.004Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-h5x6-w8mv-xfpr", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-h5x6-w8mv-xfpr" }, { "name": "https://github.com/squid-cache/squid/commit/72a3bbd5e431597c3fdb56d752bc56b010ba3817", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/commit/72a3bbd5e431597c3fdb56d752bc56b010ba3817" }, { "url": "https://security.netapp.com/advisory/ntap-20240322-0006/" } ], "source": { "advisory": "GHSA-h5x6-w8mv-xfpr", "discovery": "UNKNOWN" }, "title": "Denial of Service in HTTP Header parser in squid proxy" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-25617", "datePublished": "2024-02-14T20:55:52.004Z", "dateReserved": "2024-02-08T22:26:33.510Z", "dateUpdated": "2024-08-16T18:06:08.382Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-50269
Vulnerability from cvelistv5
Published
2023-12-14 17:09
Modified
2024-08-02 22:16
Severity ?
EPSS score ?
Summary
SQUID-2023:10 Denial of Service in HTTP Request parsing
References
Impacted products
▼ | Vendor | Product |
---|---|---|
squid-cache | squid |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T22:16:46.315Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-wgq4-4cfg-c4x3", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-wgq4-4cfg-c4x3" }, { "name": "http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch" }, { "name": "http://www.squid-cache.org/Versions/v6/SQUID-2023_10.patch", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v6/SQUID-2023_10.patch" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20240119-0005/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "squid", "vendor": "squid-cache", "versions": [ { "status": "affected", "version": "\u003e= 2.6, \u003c= 2.7.STABLE9" }, { "status": "affected", "version": "\u003e= 3.1, \u003c= 5.9" }, { "status": "affected", "version": "\u003e= 6.0.1, \u003c 6.6" } ] } ], "descriptions": [ { "lang": "en", "value": "Squid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. This problem allows a remote client to perform Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid\u0027s patch archives." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-674", "description": "CWE-674: Uncontrolled Recursion", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-12-14T17:09:25.168Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-wgq4-4cfg-c4x3", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-wgq4-4cfg-c4x3" }, { "name": "http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch", "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch" }, { "name": "http://www.squid-cache.org/Versions/v6/SQUID-2023_10.patch", "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v6/SQUID-2023_10.patch" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/" }, { "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html" }, { "url": "https://security.netapp.com/advisory/ntap-20240119-0005/" } ], "source": { "advisory": "GHSA-wgq4-4cfg-c4x3", "discovery": "UNKNOWN" }, "title": "SQUID-2023:10 Denial of Service in HTTP Request parsing" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-50269", "datePublished": "2023-12-14T17:09:25.168Z", "dateReserved": "2023-12-05T20:42:59.381Z", "dateUpdated": "2024-08-02T22:16:46.315Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2016-2569
Vulnerability from cvelistv5
Published
2016-02-27 02:00
Modified
2024-08-05 23:32
Severity ?
EPSS score ?
Summary
Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not properly append data to String objects, which allows remote servers to cause a denial of service (assertion failure and daemon exit) via a long string, as demonstrated by a crafted HTTP Vary header.
References
▼ | URL | Tags |
---|---|---|
https://usn.ubuntu.com/3557-1/ | vendor-advisory, x_refsource_UBUNTU | |
https://security.gentoo.org/glsa/201607-01 | vendor-advisory, x_refsource_GENTOO | |
http://www.squid-cache.org/Advisories/SQUID-2016_2.txt | x_refsource_CONFIRM | |
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html | vendor-advisory, x_refsource_SUSE | |
http://rhn.redhat.com/errata/RHSA-2016-2600.html | vendor-advisory, x_refsource_REDHAT | |
http://www.squid-cache.org/Versions/v4/changesets/squid-4-14552.patch | x_refsource_CONFIRM | |
http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html | vendor-advisory, x_refsource_SUSE | |
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13991.patch | x_refsource_CONFIRM | |
http://www.openwall.com/lists/oss-security/2016/02/26/2 | mailing-list, x_refsource_MLIST | |
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html | vendor-advisory, x_refsource_SUSE | |
http://www.securitytracker.com/id/1035101 | vdb-entry, x_refsource_SECTRACK |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T23:32:20.956Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "USN-3557-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/3557-1/" }, { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_2.txt" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "RHSA-2016:2600", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2016-2600.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-14552.patch" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13991.patch" }, { "name": "[oss-security] 20160226 Re: CVE request: Squid HTTP Caching Proxy multiple denial of service issues", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2016/02/26/2" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "1035101", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1035101" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2016-02-26T00:00:00", "descriptions": [ { "lang": "en", "value": "Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not properly append data to String objects, which allows remote servers to cause a denial of service (assertion failure and daemon exit) via a long string, as demonstrated by a crafted HTTP Vary header." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-03-15T09:57:02", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "USN-3557-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/3557-1/" }, { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_2.txt" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "RHSA-2016:2600", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2016-2600.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-14552.patch" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13991.patch" }, { "name": "[oss-security] 20160226 Re: CVE request: Squid HTTP Caching Proxy multiple denial of service issues", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2016/02/26/2" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "1035101", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1035101" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-2569", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not properly append data to String objects, which allows remote servers to cause a denial of service (assertion failure and daemon exit) via a long string, as demonstrated by a crafted HTTP Vary header." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "USN-3557-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3557-1/" }, { "name": "GLSA-201607-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201607-01" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2016_2.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2016_2.txt" }, { "name": "SUSE-SU-2016:1996", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "RHSA-2016:2600", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-2600.html" }, { "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-14552.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-14552.patch" }, { "name": "openSUSE-SU-2016:2081", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13991.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13991.patch" }, { "name": "[oss-security] 20160226 Re: CVE request: Squid HTTP Caching Proxy multiple denial of service issues", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/02/26/2" }, { "name": "SUSE-SU-2016:2089", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "1035101", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1035101" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-2569", "datePublished": "2016-02-27T02:00:00", "dateReserved": "2016-02-26T00:00:00", "dateUpdated": "2024-08-05T23:32:20.956Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-12521
Vulnerability from cvelistv5
Published
2020-04-15 18:47
Modified
2024-08-04 23:24
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid through 4.7. When Squid is parsing ESI, it keeps the ESI elements in ESIContext. ESIContext contains a buffer for holding a stack of ESIElements. When a new ESIElement is parsed, it is added via addStackElement. addStackElement has a check for the number of elements in this buffer, but it's off by 1, leading to a Heap Overflow of 1 element. The overflow is within the same structure so it can't affect adjacent memory blocks, and thus just leads to a crash while processing.
References
▼ | URL | Tags |
---|---|---|
https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12521.txt | x_refsource_MISC | |
http://www.openwall.com/lists/oss-security/2020/04/23/1 | mailing-list, x_refsource_MLIST | |
https://www.debian.org/security/2020/dsa-4682 | vendor-advisory, x_refsource_DEBIAN | |
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html | vendor-advisory, x_refsource_SUSE | |
https://security.gentoo.org/glsa/202005-05 | vendor-advisory, x_refsource_GENTOO | |
https://usn.ubuntu.com/4356-1/ | vendor-advisory, x_refsource_UBUNTU | |
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html | mailing-list, x_refsource_MLIST | |
https://security.netapp.com/advisory/ntap-20210205-0006/ | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:24:38.850Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12521.txt" }, { "name": "[oss-security] 20200423 [ADVISORY] SQUID-2019:12 Multiple issues in ESI Response processing", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2020/04/23/1" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "openSUSE-SU-2020:0623", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html" }, { "name": "GLSA-202005-05", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202005-05" }, { "name": "USN-4356-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4356-1/" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210205-0006/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid through 4.7. When Squid is parsing ESI, it keeps the ESI elements in ESIContext. ESIContext contains a buffer for holding a stack of ESIElements. When a new ESIElement is parsed, it is added via addStackElement. addStackElement has a check for the number of elements in this buffer, but it\u0027s off by 1, leading to a Heap Overflow of 1 element. The overflow is within the same structure so it can\u0027t affect adjacent memory blocks, and thus just leads to a crash while processing." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-02-05T11:06:18", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12521.txt" }, { "name": "[oss-security] 20200423 [ADVISORY] SQUID-2019:12 Multiple issues in ESI Response processing", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2020/04/23/1" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "openSUSE-SU-2020:0623", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html" }, { "name": "GLSA-202005-05", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202005-05" }, { "name": "USN-4356-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4356-1/" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210205-0006/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-12521", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid through 4.7. When Squid is parsing ESI, it keeps the ESI elements in ESIContext. ESIContext contains a buffer for holding a stack of ESIElements. When a new ESIElement is parsed, it is added via addStackElement. addStackElement has a check for the number of elements in this buffer, but it\u0027s off by 1, leading to a Heap Overflow of 1 element. The overflow is within the same structure so it can\u0027t affect adjacent memory blocks, and thus just leads to a crash while processing." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12521.txt", "refsource": "MISC", "url": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12521.txt" }, { "name": "[oss-security] 20200423 [ADVISORY] SQUID-2019:12 Multiple issues in ESI Response processing", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2020/04/23/1" }, { "name": "DSA-4682", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "openSUSE-SU-2020:0623", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html" }, { "name": "GLSA-202005-05", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202005-05" }, { "name": "USN-4356-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4356-1/" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "name": "https://security.netapp.com/advisory/ntap-20210205-0006/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210205-0006/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-12521", "datePublished": "2020-04-15T18:47:43", "dateReserved": "2019-06-02T00:00:00", "dateUpdated": "2024-08-04T23:24:38.850Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2016-10002
Vulnerability from cvelistv5
Published
2017-01-27 17:00
Modified
2024-08-06 03:07
Severity ?
EPSS score ?
Summary
Incorrect processing of responses to If-None-Modified HTTP conditional requests in Squid HTTP Proxy 3.1.10 through 3.1.23, 3.2.0.3 through 3.5.22, and 4.0.1 through 4.0.16 leads to client-specific Cookie data being leaked to other clients. Attack requests can easily be crafted by a client to probe a cache for this information.
References
▼ | URL | Tags |
---|---|---|
http://www.squid-cache.org/Advisories/SQUID-2016_11.txt | x_refsource_CONFIRM | |
http://www.securitytracker.com/id/1037513 | vdb-entry, x_refsource_SECTRACK | |
http://www.openwall.com/lists/oss-security/2016/12/18/1 | mailing-list, x_refsource_MLIST | |
http://rhn.redhat.com/errata/RHSA-2017-0183.html | vendor-advisory, x_refsource_REDHAT | |
http://rhn.redhat.com/errata/RHSA-2017-0182.html | vendor-advisory, x_refsource_REDHAT | |
http://www.securityfocus.com/bid/94953 | vdb-entry, x_refsource_BID | |
http://www.debian.org/security/2016/dsa-3745 | vendor-advisory, x_refsource_DEBIAN |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T03:07:31.821Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_11.txt" }, { "name": "1037513", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1037513" }, { "name": "[oss-security] 20161217 Re: CVE Request - squid HTTP proxy multiple Information Disclosure issues", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2016/12/18/1" }, { "name": "RHSA-2017:0183", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2017-0183.html" }, { "name": "RHSA-2017:0182", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2017-0182.html" }, { "name": "94953", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/94953" }, { "name": "DSA-3745", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2016/dsa-3745" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2016-12-17T00:00:00", "descriptions": [ { "lang": "en", "value": "Incorrect processing of responses to If-None-Modified HTTP conditional requests in Squid HTTP Proxy 3.1.10 through 3.1.23, 3.2.0.3 through 3.5.22, and 4.0.1 through 4.0.16 leads to client-specific Cookie data being leaked to other clients. Attack requests can easily be crafted by a client to probe a cache for this information." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-01-04T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_11.txt" }, { "name": "1037513", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1037513" }, { "name": "[oss-security] 20161217 Re: CVE Request - squid HTTP proxy multiple Information Disclosure issues", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2016/12/18/1" }, { "name": "RHSA-2017:0183", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2017-0183.html" }, { "name": "RHSA-2017:0182", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2017-0182.html" }, { "name": "94953", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/94953" }, { "name": "DSA-3745", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2016/dsa-3745" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-10002", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Incorrect processing of responses to If-None-Modified HTTP conditional requests in Squid HTTP Proxy 3.1.10 through 3.1.23, 3.2.0.3 through 3.5.22, and 4.0.1 through 4.0.16 leads to client-specific Cookie data being leaked to other clients. Attack requests can easily be crafted by a client to probe a cache for this information." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Advisories/SQUID-2016_11.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2016_11.txt" }, { "name": "1037513", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1037513" }, { "name": "[oss-security] 20161217 Re: CVE Request - squid HTTP proxy multiple Information Disclosure issues", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/12/18/1" }, { "name": "RHSA-2017:0183", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2017-0183.html" }, { "name": "RHSA-2017:0182", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2017-0182.html" }, { "name": "94953", "refsource": "BID", "url": "http://www.securityfocus.com/bid/94953" }, { "name": "DSA-3745", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3745" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-10002", "datePublished": "2017-01-27T17:00:00", "dateReserved": "2016-12-17T00:00:00", "dateUpdated": "2024-08-06T03:07:31.821Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-12522
Vulnerability from cvelistv5
Published
2020-04-15 19:00
Modified
2024-08-04 23:24
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid through 4.7. When Squid is run as root, it spawns its child processes as a lesser user, by default the user nobody. This is done via the leave_suid call. leave_suid leaves the Saved UID as 0. This makes it trivial for an attacker who has compromised the child process to escalate their privileges back to root.
References
▼ | URL | Tags |
---|---|---|
https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12522.txt | x_refsource_MISC | |
https://security.netapp.com/advisory/ntap-20210205-0006/ | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:24:38.888Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12522.txt" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210205-0006/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid through 4.7. When Squid is run as root, it spawns its child processes as a lesser user, by default the user nobody. This is done via the leave_suid call. leave_suid leaves the Saved UID as 0. This makes it trivial for an attacker who has compromised the child process to escalate their privileges back to root." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-02-05T11:06:16", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12522.txt" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210205-0006/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-12522", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid through 4.7. When Squid is run as root, it spawns its child processes as a lesser user, by default the user nobody. This is done via the leave_suid call. leave_suid leaves the Saved UID as 0. This makes it trivial for an attacker who has compromised the child process to escalate their privileges back to root." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12522.txt", "refsource": "MISC", "url": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12522.txt" }, { "name": "https://security.netapp.com/advisory/ntap-20210205-0006/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210205-0006/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-12522", "datePublished": "2020-04-15T19:00:01", "dateReserved": "2019-06-02T00:00:00", "dateUpdated": "2024-08-04T23:24:38.888Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-46846
Vulnerability from cvelistv5
Published
2023-11-03 07:33
Modified
2024-11-21 18:41
Severity ?
EPSS score ?
Summary
Squid: request/response smuggling in http/1.1 and icap
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T20:53:21.849Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2023:6266", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:6266" }, { "name": "RHSA-2023:6267", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:6267" }, { "name": "RHSA-2023:6268", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:6268" }, { "name": "RHSA-2023:6748", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:6748" }, { "name": "RHSA-2023:6801", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:6801" }, { "name": "RHSA-2023:6803", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:6803" }, { "name": "RHSA-2023:6804", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:6804" }, { "name": "RHSA-2023:6810", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:6810" }, { "name": "RHSA-2023:7213", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:7213" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2023-46846" }, { "name": "RHBZ#2245910", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245910" }, { "tags": [ "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00008.html" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20231130-0002/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://github.com/squid-cache/squid", "defaultStatus": "unaffected", "packageName": "squid", "versions": [ { "lessThan": "6.4", "status": "affected", "version": "2.6", "versionType": "semver" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:8::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8080020231030214932.63b34585", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:8::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8090020231030224841.a75119d5", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_e4s:8.1::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8010020231101141358.c27ad7f8", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_tus:8.2::appstream", "cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/a:redhat:rhel_e4s:8.2::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8020020231101135052.4cda2c84", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_tus:8.2::appstream", "cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/a:redhat:rhel_e4s:8.2::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8020020231101135052.4cda2c84", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_tus:8.2::appstream", "cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/a:redhat:rhel_e4s:8.2::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8020020231101135052.4cda2c84", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_tus:8.4::appstream", "cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8040020231101101624.522a0ee4", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_tus:8.4::appstream", "cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8040020231101101624.522a0ee4", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_tus:8.4::appstream", "cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8040020231101101624.522a0ee4", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_eus:8.6::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8.6 Extended Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8060020231031165747.ad008a3a", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "packageName": "squid", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "7:5.5-5.el9_2.1", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "packageName": "squid", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "7:5.5-6.el9_3.1", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_eus:9.0::appstream" ], "defaultStatus": "affected", "packageName": "squid", "product": "Red Hat Enterprise Linux 9.0 Extended Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "7:5.2-1.el9_0.3", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:6" ], "defaultStatus": "affected", "packageName": "squid", "product": "Red Hat Enterprise Linux 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:6" ], "defaultStatus": "affected", "packageName": "squid34", "product": "Red Hat Enterprise Linux 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:7" ], "defaultStatus": "affected", "packageName": "squid", "product": "Red Hat Enterprise Linux 7", "vendor": "Red Hat" } ], "datePublic": "2023-10-19T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-444", "description": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-21T18:41:23.306Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2023:6266", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:6266" }, { "name": "RHSA-2023:6267", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:6267" }, { "name": "RHSA-2023:6268", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:6268" }, { "name": "RHSA-2023:6748", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:6748" }, { "name": "RHSA-2023:6801", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:6801" }, { "name": "RHSA-2023:6803", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:6803" }, { "name": "RHSA-2023:6804", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:6804" }, { "name": "RHSA-2023:6810", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:6810" }, { "name": "RHSA-2023:7213", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:7213" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2023-46846" }, { "name": "RHBZ#2245910", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245910" }, { "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh" } ], "timeline": [ { "lang": "en", "time": "2023-10-24T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2023-10-19T00:00:00+00:00", "value": "Made public." } ], "title": "Squid: request/response smuggling in http/1.1 and icap", "x_redhatCweChain": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2023-46846", "datePublished": "2023-11-03T07:33:16.184Z", "dateReserved": "2023-10-27T08:36:38.158Z", "dateUpdated": "2024-11-21T18:41:23.306Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2005-0211
Vulnerability from cvelistv5
Published
2005-02-06 05:00
Modified
2024-08-07 21:05
Severity ?
EPSS score ?
Summary
Buffer overflow in wccp.c in Squid 2.5 before 2.5.STABLE7 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long WCCP packet, which is processed by a recvfrom function call that uses an incorrect length parameter.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-07T21:05:25.302Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "1013045", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://securitytracker.com/id?1013045" }, { "name": "13319", "tags": [ "vdb-entry", "x_refsource_OSVDB", "x_transferred" ], "url": "http://www.osvdb.org/13319" }, { "name": "VU#886006", "tags": [ "third-party-advisory", "x_refsource_CERT-VN", "x_transferred" ], "url": "http://www.kb.cert.org/vuls/id/886006" }, { "name": "14076", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/14076" }, { "name": "FLSA-2006:152809", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "http://fedoranews.org/updates/FEDORA--.shtml" }, { "name": "12432", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/12432" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-wccp_buffer_overflow.patch" }, { "name": "RHSA-2005:061", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://www.redhat.com/support/errata/RHSA-2005-061.html" }, { "name": "oval:org.mitre.oval:def:9573", "tags": [ "vdb-entry", "signature", "x_refsource_OVAL", "x_transferred" ], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9573" }, { "name": "MDKSA-2005:034", "tags": [ "vendor-advisory", "x_refsource_MANDRAKE", "x_transferred" ], "url": "http://www.mandriva.com/security/advisories?name=MDKSA-2005:034" }, { "name": "DSA-667", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2005/dsa-667" }, { "name": "20050207 [USN-77-1] Squid vulnerabilities", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "http://marc.info/?l=bugtraq\u0026m=110780531820947\u0026w=2" }, { "name": "SUSE-SA:2005:006", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://www.novell.com/linux/security/advisories/2005_06_squid.html" }, { "name": "RHSA-2005:060", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://www.redhat.com/support/errata/RHSA-2005-060.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-wccp_buffer_overflow" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2005-01-28T00:00:00", "descriptions": [ { "lang": "en", "value": "Buffer overflow in wccp.c in Squid 2.5 before 2.5.STABLE7 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long WCCP packet, which is processed by a recvfrom function call that uses an incorrect length parameter." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-10-10T00:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "1013045", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://securitytracker.com/id?1013045" }, { "name": "13319", "tags": [ "vdb-entry", "x_refsource_OSVDB" ], "url": "http://www.osvdb.org/13319" }, { "name": "VU#886006", "tags": [ "third-party-advisory", "x_refsource_CERT-VN" ], "url": "http://www.kb.cert.org/vuls/id/886006" }, { "name": "14076", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/14076" }, { "name": "FLSA-2006:152809", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "http://fedoranews.org/updates/FEDORA--.shtml" }, { "name": "12432", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/12432" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-wccp_buffer_overflow.patch" }, { "name": "RHSA-2005:061", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://www.redhat.com/support/errata/RHSA-2005-061.html" }, { "name": "oval:org.mitre.oval:def:9573", "tags": [ "vdb-entry", "signature", "x_refsource_OVAL" ], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9573" }, { "name": "MDKSA-2005:034", "tags": [ "vendor-advisory", "x_refsource_MANDRAKE" ], "url": "http://www.mandriva.com/security/advisories?name=MDKSA-2005:034" }, { "name": "DSA-667", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2005/dsa-667" }, { "name": "20050207 [USN-77-1] Squid vulnerabilities", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "http://marc.info/?l=bugtraq\u0026m=110780531820947\u0026w=2" }, { "name": "SUSE-SA:2005:006", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://www.novell.com/linux/security/advisories/2005_06_squid.html" }, { "name": "RHSA-2005:060", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://www.redhat.com/support/errata/RHSA-2005-060.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-wccp_buffer_overflow" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2005-0211", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Buffer overflow in wccp.c in Squid 2.5 before 2.5.STABLE7 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long WCCP packet, which is processed by a recvfrom function call that uses an incorrect length parameter." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "1013045", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1013045" }, { "name": "13319", "refsource": "OSVDB", "url": "http://www.osvdb.org/13319" }, { "name": "VU#886006", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/886006" }, { "name": "14076", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/14076" }, { "name": "FLSA-2006:152809", "refsource": "FEDORA", "url": "http://fedoranews.org/updates/FEDORA--.shtml" }, { "name": "12432", "refsource": "BID", "url": "http://www.securityfocus.com/bid/12432" }, { "name": "http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-wccp_buffer_overflow.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-wccp_buffer_overflow.patch" }, { "name": "RHSA-2005:061", "refsource": "REDHAT", "url": "http://www.redhat.com/support/errata/RHSA-2005-061.html" }, { "name": "oval:org.mitre.oval:def:9573", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9573" }, { "name": "MDKSA-2005:034", "refsource": "MANDRAKE", "url": "http://www.mandriva.com/security/advisories?name=MDKSA-2005:034" }, { "name": "DSA-667", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2005/dsa-667" }, { "name": "20050207 [USN-77-1] Squid vulnerabilities", "refsource": "BUGTRAQ", "url": "http://marc.info/?l=bugtraq\u0026m=110780531820947\u0026w=2" }, { "name": "SUSE-SA:2005:006", "refsource": "SUSE", "url": "http://www.novell.com/linux/security/advisories/2005_06_squid.html" }, { "name": "RHSA-2005:060", "refsource": "REDHAT", "url": "http://www.redhat.com/support/errata/RHSA-2005-060.html" }, { "name": "http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-wccp_buffer_overflow", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-wccp_buffer_overflow" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2005-0211", "datePublished": "2005-02-06T05:00:00", "dateReserved": "2005-02-01T00:00:00", "dateUpdated": "2024-08-07T21:05:25.302Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2014-9749
Vulnerability from cvelistv5
Published
2015-11-06 21:00
Modified
2024-08-06 13:55
Severity ?
EPSS score ?
Summary
Squid 3.4.4 through 3.4.11 and 3.5.0.1 through 3.5.1, when Digest authentication is used, allow remote authenticated users to retain access by leveraging a stale nonce, aka "Nonce replay vulnerability."
References
▼ | URL | Tags |
---|---|---|
http://www.openwall.com/lists/oss-security/2015/10/01/1 | mailing-list, x_refsource_MLIST | |
http://bugs.squid-cache.org/show_bug.cgi?id=4066 | x_refsource_CONFIRM | |
http://www.openwall.com/lists/oss-security/2015/10/11/4 | mailing-list, x_refsource_MLIST | |
http://lists.opensuse.org/opensuse-updates/2015-10/msg00052.html | vendor-advisory, x_refsource_SUSE | |
http://www.openwall.com/lists/oss-security/2015/10/12/2 | mailing-list, x_refsource_MLIST |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T13:55:04.368Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "[oss-security] 20151001 CVE Request: squid: Nonce replay vulnerability in Digest authentication", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2015/10/01/1" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://bugs.squid-cache.org/show_bug.cgi?id=4066" }, { "name": "[oss-security] 20151011 Re: CVE Request: squid: Nonce replay vulnerability in Digest authentication", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2015/10/11/4" }, { "name": "openSUSE-SU-2015:1835", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00052.html" }, { "name": "[oss-security] 20151012 Re: Re: CVE Request: squid: Nonce replay vulnerability in Digest authentication", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2015/10/12/2" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2015-10-01T00:00:00", "descriptions": [ { "lang": "en", "value": "Squid 3.4.4 through 3.4.11 and 3.5.0.1 through 3.5.1, when Digest authentication is used, allow remote authenticated users to retain access by leveraging a stale nonce, aka \"Nonce replay vulnerability.\"" } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2015-11-06T20:57:02", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "[oss-security] 20151001 CVE Request: squid: Nonce replay vulnerability in Digest authentication", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2015/10/01/1" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://bugs.squid-cache.org/show_bug.cgi?id=4066" }, { "name": "[oss-security] 20151011 Re: CVE Request: squid: Nonce replay vulnerability in Digest authentication", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2015/10/11/4" }, { "name": "openSUSE-SU-2015:1835", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00052.html" }, { "name": "[oss-security] 20151012 Re: Re: CVE Request: squid: Nonce replay vulnerability in Digest authentication", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2015/10/12/2" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-9749", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Squid 3.4.4 through 3.4.11 and 3.5.0.1 through 3.5.1, when Digest authentication is used, allow remote authenticated users to retain access by leveraging a stale nonce, aka \"Nonce replay vulnerability.\"" } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "[oss-security] 20151001 CVE Request: squid: Nonce replay vulnerability in Digest authentication", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/10/01/1" }, { "name": "http://bugs.squid-cache.org/show_bug.cgi?id=4066", "refsource": "CONFIRM", "url": "http://bugs.squid-cache.org/show_bug.cgi?id=4066" }, { "name": "[oss-security] 20151011 Re: CVE Request: squid: Nonce replay vulnerability in Digest authentication", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/10/11/4" }, { "name": "openSUSE-SU-2015:1835", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00052.html" }, { "name": "[oss-security] 20151012 Re: Re: CVE Request: squid: Nonce replay vulnerability in Digest authentication", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/10/12/2" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-9749", "datePublished": "2015-11-06T21:00:00", "dateReserved": "2015-10-04T00:00:00", "dateUpdated": "2024-08-06T13:55:04.368Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-18678
Vulnerability from cvelistv5
Published
2019-11-26 16:15
Modified
2024-08-05 02:02
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid 3.x and 4.x through 4.8. It allows attackers to smuggle HTTP requests through frontend software to a Squid instance that splits the HTTP Request pipeline differently. The resulting Response messages corrupt caches (between a client and Squid) with attacker-controlled content at arbitrary URLs. Effects are isolated to software between the attacker client and Squid. There are no effects on Squid itself, nor on any upstream servers. The issue is related to a request header containing whitespace between a header name and a colon.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T02:02:38.289Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/pull/445" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156323" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2019_10.txt" }, { "name": "USN-4213-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4213-1/" }, { "name": "FEDORA-2019-0b16cbdd0e", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/" }, { "name": "FEDORA-2019-9538783033", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/" }, { "name": "[debian-lts-announce] 20191210 [SECURITY] [DLA 2028-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html" }, { "name": "GLSA-202003-34", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202003-34" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid 3.x and 4.x through 4.8. It allows attackers to smuggle HTTP requests through frontend software to a Squid instance that splits the HTTP Request pipeline differently. The resulting Response messages corrupt caches (between a client and Squid) with attacker-controlled content at arbitrary URLs. Effects are isolated to software between the attacker client and Squid. There are no effects on Squid itself, nor on any upstream servers. The issue is related to a request header containing whitespace between a header name and a colon." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-07-10T23:06:15", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/pull/445" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156323" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2019_10.txt" }, { "name": "USN-4213-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4213-1/" }, { "name": "FEDORA-2019-0b16cbdd0e", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/" }, { "name": "FEDORA-2019-9538783033", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/" }, { "name": "[debian-lts-announce] 20191210 [SECURITY] [DLA 2028-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html" }, { "name": "GLSA-202003-34", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202003-34" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-18678", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid 3.x and 4.x through 4.8. It allows attackers to smuggle HTTP requests through frontend software to a Squid instance that splits the HTTP Request pipeline differently. The resulting Response messages corrupt caches (between a client and Squid) with attacker-controlled content at arbitrary URLs. Effects are isolated to software between the attacker client and Squid. There are no effects on Squid itself, nor on any upstream servers. The issue is related to a request header containing whitespace between a header name and a colon." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/squid-cache/squid/pull/445", "refsource": "MISC", "url": "https://github.com/squid-cache/squid/pull/445" }, { "name": "https://bugzilla.suse.com/show_bug.cgi?id=1156323", "refsource": "CONFIRM", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156323" }, { "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2019_10.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2019_10.txt" }, { "name": "USN-4213-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4213-1/" }, { "name": "FEDORA-2019-0b16cbdd0e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/" }, { "name": "FEDORA-2019-9538783033", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/" }, { "name": "[debian-lts-announce] 20191210 [SECURITY] [DLA 2028-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html" }, { "name": "GLSA-202003-34", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-34" }, { "name": "DSA-4682", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-18678", "datePublished": "2019-11-26T16:15:42", "dateReserved": "2019-11-04T00:00:00", "dateUpdated": "2024-08-05T02:02:38.289Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2016-4553
Vulnerability from cvelistv5
Published
2016-05-10 19:00
Modified
2024-08-06 00:32
Severity ?
EPSS score ?
Summary
client_side.cc in Squid before 3.5.18 and 4.x before 4.0.10 does not properly ignore the Host header when absolute-URI is provided, which allows remote attackers to conduct cache-poisoning attacks via an HTTP request.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T00:32:25.689Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://bugs.squid-cache.org/show_bug.cgi?id=4501" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_7.txt" }, { "name": "USN-2995-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch" }, { "name": "RHSA-2016:1140", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2016:1140" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "RHSA-2016:1139", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2016:1139" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "1035768", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1035768" }, { "name": "DSA-3625", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2016/dsa-3625" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2016-05-06T00:00:00", "descriptions": [ { "lang": "en", "value": "client_side.cc in Squid before 3.5.18 and 4.x before 4.0.10 does not properly ignore the Host header when absolute-URI is provided, which allows remote attackers to conduct cache-poisoning attacks via an HTTP request." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2016-11-28T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://bugs.squid-cache.org/show_bug.cgi?id=4501" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_7.txt" }, { "name": "USN-2995-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch" }, { "name": "RHSA-2016:1140", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2016:1140" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "RHSA-2016:1139", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2016:1139" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "1035768", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1035768" }, { "name": "DSA-3625", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2016/dsa-3625" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-4553", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "client_side.cc in Squid before 3.5.18 and 4.x before 4.0.10 does not properly ignore the Host header when absolute-URI is provided, which allows remote attackers to conduct cache-poisoning attacks via an HTTP request." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "GLSA-201607-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201607-01" }, { "name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "name": "http://bugs.squid-cache.org/show_bug.cgi?id=4501", "refsource": "CONFIRM", "url": "http://bugs.squid-cache.org/show_bug.cgi?id=4501" }, { "name": "SUSE-SU-2016:1996", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2016_7.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2016_7.txt" }, { "name": "USN-2995-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "name": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch" }, { "name": "RHSA-2016:1140", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:1140" }, { "name": "openSUSE-SU-2016:2081", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "RHSA-2016:1139", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:1139" }, { "name": "SUSE-SU-2016:2089", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "1035768", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1035768" }, { "name": "DSA-3625", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3625" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-4553", "datePublished": "2016-05-10T19:00:00", "dateReserved": "2016-05-06T00:00:00", "dateUpdated": "2024-08-06T00:32:25.689Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-41318
Vulnerability from cvelistv5
Published
2022-12-25 00:00
Modified
2024-08-03 12:42
Severity ?
EPSS score ?
Summary
A buffer over-read was discovered in libntlmauth in Squid 2.5 through 5.6. Due to incorrect integer-overflow protection, the SSPI and SMB authentication helpers are vulnerable to reading unintended memory locations. In some configurations, cleartext credentials from these locations are sent to a client. This is fixed in 5.7.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T12:42:44.884Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-394c-rr7q-6g78" }, { "tags": [ "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_2.patch" }, { "tags": [ "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_2.patch" }, { "tags": [ "x_transferred" ], "url": "https://www.openwall.com/lists/oss-security/2022/09/23/2" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "A buffer over-read was discovered in libntlmauth in Squid 2.5 through 5.6. Due to incorrect integer-overflow protection, the SSPI and SMB authentication helpers are vulnerable to reading unintended memory locations. In some configurations, cleartext credentials from these locations are sent to a client. This is fixed in 5.7." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-12-25T00:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-394c-rr7q-6g78" }, { "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_2.patch" }, { "url": "http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_2.patch" }, { "url": "https://www.openwall.com/lists/oss-security/2022/09/23/2" } ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-41318", "datePublished": "2022-12-25T00:00:00", "dateReserved": "2022-09-23T00:00:00", "dateUpdated": "2024-08-03T12:42:44.884Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-31807
Vulnerability from cvelistv5
Published
2021-06-08 00:00
Modified
2024-08-03 23:10
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. An integer overflow problem allows a remote server to achieve Denial of Service when delivering responses to HTTP Range requests. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T23:10:30.180Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf" }, { "tags": [ "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patch" }, { "name": "FEDORA-2021-c0bec55ec7", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/" }, { "name": "FEDORA-2021-24af72ff2c", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/" }, { "name": "[debian-lts-announce] 20210614 [SECURITY] [DLA 2685-1] squid3 security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210716-0007/" }, { "name": "[oss-security] 20231011 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/11/3" }, { "name": "20231016 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list", "x_transferred" ], "url": "http://seclists.org/fulldisclosure/2023/Oct/14" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. An integer overflow problem allows a remote server to achieve Denial of Service when delivering responses to HTTP Range requests. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-17T04:06:20.125839", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf" }, { "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patch" }, { "name": "FEDORA-2021-c0bec55ec7", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/" }, { "name": "FEDORA-2021-24af72ff2c", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/" }, { "name": "[debian-lts-announce] 20210614 [SECURITY] [DLA 2685-1] squid3 security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html" }, { "url": "https://security.netapp.com/advisory/ntap-20210716-0007/" }, { "name": "[oss-security] 20231011 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/11/3" }, { "name": "20231016 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list" ], "url": "http://seclists.org/fulldisclosure/2023/Oct/14" } ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-31807", "datePublished": "2021-06-08T00:00:00", "dateReserved": "2021-04-26T00:00:00", "dateUpdated": "2024-08-03T23:10:30.180Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2015-5400
Vulnerability from cvelistv5
Published
2015-09-28 20:00
Modified
2024-08-06 06:50
Severity ?
EPSS score ?
Summary
Squid before 3.5.6 does not properly handle CONNECT method peer responses when configured with cache_peer, which allows remote attackers to bypass intended restrictions and gain access to a backend proxy via a CONNECT request.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T06:50:02.095Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "[oss-security] 20150706 Squid HTTP proxy CVE request", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2015/07/06/8" }, { "name": "1032873", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1032873" }, { "name": "FEDORA-2016-7b40eb9e29", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183598.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13856.patch" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "[oss-security] 20150717 Re: Re: Squid HTTP proxy CVE request", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2015/07/17/14" }, { "name": "[oss-security] 20150709 Re: Squid HTTP proxy CVE request", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2015/07/09/12" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10494.patch" }, { "name": "[oss-security] 20150710 Re: Squid HTTP proxy CVE request", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2015/07/10/2" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2015_2.txt" }, { "name": "DSA-3327", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2015/dsa-3327" }, { "name": "75553", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/75553" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13225.patch" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2015-07-06T00:00:00", "descriptions": [ { "lang": "en", "value": "Squid before 3.5.6 does not properly handle CONNECT method peer responses when configured with cache_peer, which allows remote attackers to bypass intended restrictions and gain access to a backend proxy via a CONNECT request." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-09-21T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "[oss-security] 20150706 Squid HTTP proxy CVE request", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2015/07/06/8" }, { "name": "1032873", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1032873" }, { "name": "FEDORA-2016-7b40eb9e29", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183598.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13856.patch" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "[oss-security] 20150717 Re: Re: Squid HTTP proxy CVE request", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2015/07/17/14" }, { "name": "[oss-security] 20150709 Re: Squid HTTP proxy CVE request", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2015/07/09/12" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10494.patch" }, { "name": "[oss-security] 20150710 Re: Squid HTTP proxy CVE request", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2015/07/10/2" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2015_2.txt" }, { "name": "DSA-3327", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2015/dsa-3327" }, { "name": "75553", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/75553" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13225.patch" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-5400", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Squid before 3.5.6 does not properly handle CONNECT method peer responses when configured with cache_peer, which allows remote attackers to bypass intended restrictions and gain access to a backend proxy via a CONNECT request." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "[oss-security] 20150706 Squid HTTP proxy CVE request", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/07/06/8" }, { "name": "1032873", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1032873" }, { "name": "FEDORA-2016-7b40eb9e29", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183598.html" }, { "name": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13856.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13856.patch" }, { "name": "SUSE-SU-2016:1996", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "[oss-security] 20150717 Re: Re: Squid HTTP proxy CVE request", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/07/17/14" }, { "name": "[oss-security] 20150709 Re: Squid HTTP proxy CVE request", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/07/09/12" }, { "name": "openSUSE-SU-2016:2081", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10494.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10494.patch" }, { "name": "[oss-security] 20150710 Re: Squid HTTP proxy CVE request", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2015/07/10/2" }, { "name": "SUSE-SU-2016:2089", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2015_2.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2015_2.txt" }, { "name": "DSA-3327", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3327" }, { "name": "75553", "refsource": "BID", "url": "http://www.securityfocus.com/bid/75553" }, { "name": "http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13225.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13225.patch" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-5400", "datePublished": "2015-09-28T20:00:00", "dateReserved": "2015-07-06T00:00:00", "dateUpdated": "2024-08-06T06:50:02.095Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2016-2571
Vulnerability from cvelistv5
Published
2016-02-27 02:00
Modified
2024-08-05 23:32
Severity ?
EPSS score ?
Summary
http.cc in Squid 3.x before 3.5.15 and 4.x before 4.0.7 proceeds with the storage of certain data after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T23:32:20.940Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "USN-3557-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/3557-1/" }, { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13990.patch" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_2.txt" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "DSA-3522", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2016/dsa-3522" }, { "name": "RHSA-2016:2600", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2016-2600.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-14548.patch" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "[oss-security] 20160226 Re: CVE request: Squid HTTP Caching Proxy multiple denial of service issues", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2016/02/26/2" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "1035101", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1035101" }, { "name": "USN-2921-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-2921-1" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2016-02-26T00:00:00", "descriptions": [ { "lang": "en", "value": "http.cc in Squid 3.x before 3.5.15 and 4.x before 4.0.7 proceeds with the storage of certain data after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-03-15T09:57:02", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "USN-3557-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/3557-1/" }, { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13990.patch" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_2.txt" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "DSA-3522", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2016/dsa-3522" }, { "name": "RHSA-2016:2600", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2016-2600.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-14548.patch" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "[oss-security] 20160226 Re: CVE request: Squid HTTP Caching Proxy multiple denial of service issues", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2016/02/26/2" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "1035101", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1035101" }, { "name": "USN-2921-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-2921-1" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-2571", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "http.cc in Squid 3.x before 3.5.15 and 4.x before 4.0.7 proceeds with the storage of certain data after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "USN-3557-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3557-1/" }, { "name": "GLSA-201607-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201607-01" }, { "name": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13990.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13990.patch" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2016_2.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2016_2.txt" }, { "name": "SUSE-SU-2016:1996", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "DSA-3522", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3522" }, { "name": "RHSA-2016:2600", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-2600.html" }, { "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-14548.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-14548.patch" }, { "name": "openSUSE-SU-2016:2081", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "[oss-security] 20160226 Re: CVE request: Squid HTTP Caching Proxy multiple denial of service issues", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/02/26/2" }, { "name": "SUSE-SU-2016:2089", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "1035101", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1035101" }, { "name": "USN-2921-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2921-1" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-2571", "datePublished": "2016-02-27T02:00:00", "dateReserved": "2016-02-26T00:00:00", "dateUpdated": "2024-08-05T23:32:20.940Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2010-3072
Vulnerability from cvelistv5
Published
2010-09-20 20:00
Modified
2024-08-07 02:55
Severity ?
EPSS score ?
Summary
The string-comparison functions in String.cci in Squid 3.x before 3.1.8 and 3.2.x before 3.2.0.2 allow remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-07T02:55:46.853Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "FEDORA-2010-14236", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-September/047820.html" }, { "name": "[oss-security] 20100905 CVE Request -- Squid -- Denial of service due internal error in string handling (SQUID-2010:3)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2010/09/05/2" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=630444" }, { "name": "FEDORA-2010-14222", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-September/047787.html" }, { "name": "41298", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/41298" }, { "name": "ADV-2010-2433", "tags": [ "vdb-entry", "x_refsource_VUPEN", "x_transferred" ], "url": "http://www.vupen.com/english/advisories/2010/2433" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2010_3.txt" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9189.patch" }, { "name": "41477", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/41477" }, { "name": "DSA-2111", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2010/dsa-2111" }, { "name": "42982", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/42982" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10090.patch" }, { "name": "41534", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/41534" }, { "name": "SUSE-SR:2010:019", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00006.html" }, { "name": "[oss-security] 20100907 Re: CVE Request -- Squid -- Denial of service due internal error in string handling (SQUID-2010:3)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2010/09/07/7" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2010-09-03T00:00:00", "descriptions": [ { "lang": "en", "value": "The string-comparison functions in String.cci in Squid 3.x before 3.1.8 and 3.2.x before 3.2.0.2 allow remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2010-09-28T09:00:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "FEDORA-2010-14236", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-September/047820.html" }, { "name": "[oss-security] 20100905 CVE Request -- Squid -- Denial of service due internal error in string handling (SQUID-2010:3)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2010/09/05/2" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=630444" }, { "name": "FEDORA-2010-14222", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-September/047787.html" }, { "name": "41298", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/41298" }, { "name": "ADV-2010-2433", "tags": [ "vdb-entry", "x_refsource_VUPEN" ], "url": "http://www.vupen.com/english/advisories/2010/2433" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2010_3.txt" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9189.patch" }, { "name": "41477", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/41477" }, { "name": "DSA-2111", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2010/dsa-2111" }, { "name": "42982", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/42982" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10090.patch" }, { "name": "41534", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/41534" }, { "name": "SUSE-SR:2010:019", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00006.html" }, { "name": "[oss-security] 20100907 Re: CVE Request -- Squid -- Denial of service due internal error in string handling (SQUID-2010:3)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2010/09/07/7" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2010-3072", "datePublished": "2010-09-20T20:00:00", "dateReserved": "2010-08-20T00:00:00", "dateUpdated": "2024-08-07T02:55:46.853Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-46784
Vulnerability from cvelistv5
Published
2022-07-17 00:00
Modified
2024-08-04 05:17
Severity ?
EPSS score ?
Summary
In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due to improper buffer management, a Denial of Service can occur when processing long Gopher server responses.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T05:17:42.311Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/squid-cache/squid/commit/5e2ea2b13bd98f53e29964ca26bb0d602a8a12b9" }, { "tags": [ "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2021_7.patch" }, { "tags": [ "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v5/changesets/SQUID-2021_7.patch" }, { "tags": [ "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-f5cp-6rh3-284w" }, { "tags": [ "x_transferred" ], "url": "https://security-tracker.debian.org/tracker/CVE-2021-46784" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20221223-0007/" }, { "name": "[oss-security] 20231013 Re: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/13/1" }, { "name": "[oss-security] 20231013 Re: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/13/10" }, { "name": "[oss-security] 20231021 Re: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/21/1" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due to improper buffer management, a Denial of Service can occur when processing long Gopher server responses." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-21T23:06:16.659186", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://github.com/squid-cache/squid/commit/5e2ea2b13bd98f53e29964ca26bb0d602a8a12b9" }, { "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2021_7.patch" }, { "url": "http://www.squid-cache.org/Versions/v5/changesets/SQUID-2021_7.patch" }, { "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-f5cp-6rh3-284w" }, { "url": "https://security-tracker.debian.org/tracker/CVE-2021-46784" }, { "url": "https://security.netapp.com/advisory/ntap-20221223-0007/" }, { "name": "[oss-security] 20231013 Re: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/13/1" }, { "name": "[oss-security] 20231013 Re: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/13/10" }, { "name": "[oss-security] 20231021 Re: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/21/1" } ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-46784", "datePublished": "2022-07-17T00:00:00", "dateReserved": "2022-04-21T00:00:00", "dateUpdated": "2024-08-04T05:17:42.311Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2010-0308
Vulnerability from cvelistv5
Published
2010-02-03 18:00
Modified
2024-08-07 00:45
Severity ?
EPSS score ?
Summary
lib/rfc1035.c in Squid 2.x, 3.0 through 3.0.STABLE22, and 3.1 through 3.1.0.15 allows remote attackers to cause a denial of service (assertion failure) via a crafted DNS packet that only contains a header.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-07T00:45:11.819Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "38451", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/38451" }, { "name": "38455", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/38455" }, { "name": "62044", "tags": [ "vdb-entry", "x_refsource_OSVDB", "x_transferred" ], "url": "http://osvdb.org/62044" }, { "name": "37522", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/37522" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-9853.patch" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v2/HEAD/changesets/12597.patch" }, { "name": "squid-dns-dos(56001)", "tags": [ "vdb-entry", "x_refsource_XF", "x_transferred" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56001" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://events.ccc.de/congress/2009/Fahrplan/attachments/1483_26c3_ipv4_fuckups.pdf" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2010_1.txt" }, { "name": "oval:org.mitre.oval:def:11270", "tags": [ "vdb-entry", "signature", "x_refsource_OVAL", "x_transferred" ], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11270" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9163.patch" }, { "name": "1023520", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id?1023520" }, { "name": "ADV-2010-0260", "tags": [ "vdb-entry", "x_refsource_VUPEN", "x_transferred" ], "url": "http://www.vupen.com/english/advisories/2010/0260" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2009-12-27T00:00:00", "descriptions": [ { "lang": "en", "value": "lib/rfc1035.c in Squid 2.x, 3.0 through 3.0.STABLE22, and 3.1 through 3.1.0.15 allows remote attackers to cause a denial of service (assertion failure) via a crafted DNS packet that only contains a header." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-09-18T12:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "38451", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/38451" }, { "name": "38455", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/38455" }, { "name": "62044", "tags": [ "vdb-entry", "x_refsource_OSVDB" ], "url": "http://osvdb.org/62044" }, { "name": "37522", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/37522" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-9853.patch" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v2/HEAD/changesets/12597.patch" }, { "name": "squid-dns-dos(56001)", "tags": [ "vdb-entry", "x_refsource_XF" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56001" }, { "tags": [ "x_refsource_MISC" ], "url": "http://events.ccc.de/congress/2009/Fahrplan/attachments/1483_26c3_ipv4_fuckups.pdf" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2010_1.txt" }, { "name": "oval:org.mitre.oval:def:11270", "tags": [ "vdb-entry", "signature", "x_refsource_OVAL" ], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11270" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9163.patch" }, { "name": "1023520", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id?1023520" }, { "name": "ADV-2010-0260", "tags": [ "vdb-entry", "x_refsource_VUPEN" ], "url": "http://www.vupen.com/english/advisories/2010/0260" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2010-0308", "datePublished": "2010-02-03T18:00:00", "dateReserved": "2010-01-12T00:00:00", "dateUpdated": "2024-08-07T00:45:11.819Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-41317
Vulnerability from cvelistv5
Published
2022-12-25 00:00
Modified
2024-08-03 12:42
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T12:42:46.213Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq" }, { "tags": [ "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_1.patch" }, { "tags": [ "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_1.patch" }, { "tags": [ "x_transferred" ], "url": "https://www.openwall.com/lists/oss-security/2022/09/23/1" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-12-25T00:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq" }, { "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_1.patch" }, { "url": "http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_1.patch" }, { "url": "https://www.openwall.com/lists/oss-security/2022/09/23/1" } ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-41317", "datePublished": "2022-12-25T00:00:00", "dateReserved": "2022-09-23T00:00:00", "dateUpdated": "2024-08-03T12:42:46.213Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2009-2855
Vulnerability from cvelistv5
Published
2009-08-18 20:41
Modified
2024-08-07 06:07
Severity ?
EPSS score ?
Summary
The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-07T06:07:36.421Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "[oss-security] 20090803 Re: squid DoS in external auth header parser", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2009/08/03/3" }, { "name": "36091", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/36091" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534982" }, { "name": "[oss-security] 20090804 Re: squid DoS in external auth header parser", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2009/08/04/6" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/bugs/show_bug.cgi?id=2704" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/bugs/show_bug.cgi?id=2541" }, { "name": "1022757", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id?1022757" }, { "name": "oval:org.mitre.oval:def:10592", "tags": [ "vdb-entry", "signature", "x_refsource_OVAL", "x_transferred" ], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10592" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=518182" }, { "name": "[oss-security] 20090720 squid DoS in external auth header parser", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2009/07/20/10" }, { "name": "squid-strlistgetitem-dos(52610)", "tags": [ "vdb-entry", "x_refsource_XF", "x_transferred" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/52610" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=31%3Bfilename=diff%3Batt=1%3Bbug=534982" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2009-07-06T00:00:00", "descriptions": [ { "lang": "en", "value": "The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-09-18T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "[oss-security] 20090803 Re: squid DoS in external auth header parser", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2009/08/03/3" }, { "name": "36091", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/36091" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534982" }, { "name": "[oss-security] 20090804 Re: squid DoS in external auth header parser", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2009/08/04/6" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/bugs/show_bug.cgi?id=2704" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/bugs/show_bug.cgi?id=2541" }, { "name": "1022757", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id?1022757" }, { "name": "oval:org.mitre.oval:def:10592", "tags": [ "vdb-entry", "signature", "x_refsource_OVAL" ], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10592" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=518182" }, { "name": "[oss-security] 20090720 squid DoS in external auth header parser", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2009/07/20/10" }, { "name": "squid-strlistgetitem-dos(52610)", "tags": [ "vdb-entry", "x_refsource_XF" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/52610" }, { "tags": [ "x_refsource_MISC" ], "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=31%3Bfilename=diff%3Batt=1%3Bbug=534982" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2009-2855", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "[oss-security] 20090803 Re: squid DoS in external auth header parser", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2009/08/03/3" }, { "name": "36091", "refsource": "BID", "url": "http://www.securityfocus.com/bid/36091" }, { "name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534982", "refsource": "CONFIRM", "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534982" }, { "name": "[oss-security] 20090804 Re: squid DoS in external auth header parser", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2009/08/04/6" }, { "name": "http://www.squid-cache.org/bugs/show_bug.cgi?id=2704", "refsource": "MISC", "url": "http://www.squid-cache.org/bugs/show_bug.cgi?id=2704" }, { "name": "http://www.squid-cache.org/bugs/show_bug.cgi?id=2541", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/bugs/show_bug.cgi?id=2541" }, { "name": "1022757", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1022757" }, { "name": "oval:org.mitre.oval:def:10592", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10592" }, { "name": "https://bugzilla.redhat.com/show_bug.cgi?id=518182", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=518182" }, { "name": "[oss-security] 20090720 squid DoS in external auth header parser", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2009/07/20/10" }, { "name": "squid-strlistgetitem-dos(52610)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/52610" }, { "name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=31;filename=diff;att=1;bug=534982", "refsource": "MISC", "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=31;filename=diff;att=1;bug=534982" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2009-2855", "datePublished": "2009-08-18T20:41:00", "dateReserved": "2009-08-18T00:00:00", "dateUpdated": "2024-08-07T06:07:36.421Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-49285
Vulnerability from cvelistv5
Published
2023-12-04 22:56
Modified
2024-08-02 21:53
Severity ?
EPSS score ?
Summary
Denial of Service in HTTP Message Processing in Squid
References
Impacted products
▼ | Vendor | Product |
---|---|---|
squid-cache | squid |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T21:53:45.105Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-8w9r-p88v-mmx9", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-8w9r-p88v-mmx9" }, { "name": "https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b" }, { "name": "https://github.com/squid-cache/squid/commit/deee944f9a12c9fd399ce52f3e2526bb573a9470", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/commit/deee944f9a12c9fd399ce52f3e2526bb573a9470" }, { "name": "http://www.squid-cache.org/Versions/v5/SQUID-2023_7.patch", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v5/SQUID-2023_7.patch" }, { "name": "http://www.squid-cache.org/Versions/v6/SQUID-2023_7.patch", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v6/SQUID-2023_7.patch" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20240119-0004/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "squid", "vendor": "squid-cache", "versions": [ { "status": "affected", "version": "\u003e= 2.2, \u003c 6.5" } ] } ], "descriptions": [ { "lang": "en", "value": "Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-126", "description": "CWE-126: Buffer Over-read", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-12-04T22:56:55.105Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-8w9r-p88v-mmx9", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-8w9r-p88v-mmx9" }, { "name": "https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b" }, { "name": "https://github.com/squid-cache/squid/commit/deee944f9a12c9fd399ce52f3e2526bb573a9470", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/commit/deee944f9a12c9fd399ce52f3e2526bb573a9470" }, { "name": "http://www.squid-cache.org/Versions/v5/SQUID-2023_7.patch", "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v5/SQUID-2023_7.patch" }, { "name": "http://www.squid-cache.org/Versions/v6/SQUID-2023_7.patch", "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v6/SQUID-2023_7.patch" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/" }, { "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html" }, { "url": "https://security.netapp.com/advisory/ntap-20240119-0004/" } ], "source": { "advisory": "GHSA-8w9r-p88v-mmx9", "discovery": "UNKNOWN" }, "title": "Denial of Service in HTTP Message Processing in Squid" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-49285", "datePublished": "2023-12-04T22:56:55.105Z", "dateReserved": "2023-11-24T16:45:24.312Z", "dateUpdated": "2024-08-02T21:53:45.105Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-8450
Vulnerability from cvelistv5
Published
2020-02-04 19:51
Modified
2024-08-04 09:56
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid before 4.10. Due to incorrect buffer management, a remote client can cause a buffer overflow in a Squid instance acting as a reverse proxy.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T09:56:28.485Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2020_1.txt" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-d8e4715992d0e530871519549add5519cbac0598.patch" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-8e657e835965c3a011375feaa0359921c5b3e2dd.patch" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-b3a0719affab099c684f1cd62b79ab02816fa962.patch" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_1.patch" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2020_1.patch" }, { "name": "USN-4289-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4289-1/" }, { "name": "openSUSE-SU-2020:0307", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00012.html" }, { "name": "GLSA-202003-34", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202003-34" }, { "name": "FEDORA-2020-ab8e7463ab", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G6W2IQ7QV2OGREFFUBNVZIDD3RJBDE4R/" }, { "name": "FEDORA-2020-790296a8f4", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TSU6SPANL27AGK5PCGBJOKG4LUWA555J/" }, { "name": "openSUSE-SU-2020:0606", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00010.html" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210304-0002/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid before 4.10. Due to incorrect buffer management, a remote client can cause a buffer overflow in a Squid instance acting as a reverse proxy." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-03-04T12:06:29", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2020_1.txt" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-d8e4715992d0e530871519549add5519cbac0598.patch" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-8e657e835965c3a011375feaa0359921c5b3e2dd.patch" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-b3a0719affab099c684f1cd62b79ab02816fa962.patch" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_1.patch" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2020_1.patch" }, { "name": "USN-4289-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4289-1/" }, { "name": "openSUSE-SU-2020:0307", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00012.html" }, { "name": "GLSA-202003-34", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202003-34" }, { "name": "FEDORA-2020-ab8e7463ab", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G6W2IQ7QV2OGREFFUBNVZIDD3RJBDE4R/" }, { "name": "FEDORA-2020-790296a8f4", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TSU6SPANL27AGK5PCGBJOKG4LUWA555J/" }, { "name": "openSUSE-SU-2020:0606", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00010.html" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210304-0002/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-8450", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid before 4.10. Due to incorrect buffer management, a remote client can cause a buffer overflow in a Squid instance acting as a reverse proxy." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Advisories/SQUID-2020_1.txt", "refsource": "MISC", "url": "http://www.squid-cache.org/Advisories/SQUID-2020_1.txt" }, { "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-d8e4715992d0e530871519549add5519cbac0598.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-d8e4715992d0e530871519549add5519cbac0598.patch" }, { "name": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-8e657e835965c3a011375feaa0359921c5b3e2dd.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-8e657e835965c3a011375feaa0359921c5b3e2dd.patch" }, { "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-b3a0719affab099c684f1cd62b79ab02816fa962.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-b3a0719affab099c684f1cd62b79ab02816fa962.patch" }, { "name": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_1.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_1.patch" }, { "name": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2020_1.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2020_1.patch" }, { "name": "USN-4289-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4289-1/" }, { "name": "openSUSE-SU-2020:0307", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00012.html" }, { "name": "GLSA-202003-34", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-34" }, { "name": "FEDORA-2020-ab8e7463ab", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G6W2IQ7QV2OGREFFUBNVZIDD3RJBDE4R/" }, { "name": "FEDORA-2020-790296a8f4", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TSU6SPANL27AGK5PCGBJOKG4LUWA555J/" }, { "name": "openSUSE-SU-2020:0606", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00010.html" }, { "name": "DSA-4682", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "name": "https://security.netapp.com/advisory/ntap-20210304-0002/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210304-0002/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-8450", "datePublished": "2020-02-04T19:51:21", "dateReserved": "2020-01-30T00:00:00", "dateUpdated": "2024-08-04T09:56:28.485Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-28651
Vulnerability from cvelistv5
Published
2021-05-27 00:00
Modified
2024-08-03 21:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount of memory. However, there is an unspecified attack methodology that can easily trigger a large amount of memory consumption.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T21:47:32.975Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://bugs.squid-cache.org/show_bug.cgi?id=5104" }, { "tags": [ "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-ch36-9jhx-phm4" }, { "name": "DSA-4924", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-4924" }, { "name": "FEDORA-2021-c0bec55ec7", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/" }, { "name": "FEDORA-2021-24af72ff2c", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/" }, { "name": "[debian-lts-announce] 20210614 [SECURITY] [DLA 2685-1] squid3 security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210716-0007/" }, { "name": "[oss-security] 20231011 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/11/3" }, { "name": "20231016 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list", "x_transferred" ], "url": "http://seclists.org/fulldisclosure/2023/Oct/14" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount of memory. However, there is an unspecified attack methodology that can easily trigger a large amount of memory consumption." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-17T04:06:23.574133", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://bugs.squid-cache.org/show_bug.cgi?id=5104" }, { "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-ch36-9jhx-phm4" }, { "name": "DSA-4924", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2021/dsa-4924" }, { "name": "FEDORA-2021-c0bec55ec7", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/" }, { "name": "FEDORA-2021-24af72ff2c", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/" }, { "name": "[debian-lts-announce] 20210614 [SECURITY] [DLA 2685-1] squid3 security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html" }, { "url": "https://security.netapp.com/advisory/ntap-20210716-0007/" }, { "name": "[oss-security] 20231011 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/11/3" }, { "name": "20231016 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list" ], "url": "http://seclists.org/fulldisclosure/2023/Oct/14" } ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-28651", "datePublished": "2021-05-27T00:00:00", "dateReserved": "2021-03-17T00:00:00", "dateUpdated": "2024-08-03T21:47:32.975Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2014-3609
Vulnerability from cvelistv5
Published
2014-09-11 18:00
Modified
2024-08-06 10:50
Severity ?
EPSS score ?
Summary
HttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allows remote attackers to cause a denial of service (crash) via a request with crafted "Range headers with unidentifiable byte-range values."
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T10:50:17.607Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "61320", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/61320" }, { "name": "60179", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/60179" }, { "name": "SUSE-SU-2014:1140", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00025.html" }, { "name": "USN-2327-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-2327-1" }, { "name": "DSA-3139", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2015/dsa-3139" }, { "name": "openSUSE-SU-2014:1144", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00029.html" }, { "name": "DSA-3014", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2014/dsa-3014" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2014_2.txt" }, { "name": "RHSA-2014:1147", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-1147.html" }, { "name": "60334", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/60334" }, { "name": "69453", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/69453" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9201.patch" }, { "name": "61412", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/61412" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2014-08-28T00:00:00", "descriptions": [ { "lang": "en", "value": "HttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allows remote attackers to cause a denial of service (crash) via a request with crafted \"Range headers with unidentifiable byte-range values.\"" } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-01-04T17:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "61320", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/61320" }, { "name": "60179", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/60179" }, { "name": "SUSE-SU-2014:1140", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00025.html" }, { "name": "USN-2327-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-2327-1" }, { "name": "DSA-3139", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2015/dsa-3139" }, { "name": "openSUSE-SU-2014:1144", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00029.html" }, { "name": "DSA-3014", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2014/dsa-3014" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2014_2.txt" }, { "name": "RHSA-2014:1147", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-1147.html" }, { "name": "60334", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/60334" }, { "name": "69453", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/69453" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9201.patch" }, { "name": "61412", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/61412" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "secalert@redhat.com", "ID": "CVE-2014-3609", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "HttpHdrRange.cc in Squid 3.x before 3.3.12 and 3.4.x before 3.4.6 allows remote attackers to cause a denial of service (crash) via a request with crafted \"Range headers with unidentifiable byte-range values.\"" } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "61320", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/61320" }, { "name": "60179", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/60179" }, { "name": "SUSE-SU-2014:1140", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00025.html" }, { "name": "USN-2327-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2327-1" }, { "name": "DSA-3139", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3139" }, { "name": "openSUSE-SU-2014:1144", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00029.html" }, { "name": "DSA-3014", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2014/dsa-3014" }, { "name": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2014_2.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2014_2.txt" }, { "name": "RHSA-2014:1147", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-1147.html" }, { "name": "60334", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/60334" }, { "name": "69453", "refsource": "BID", "url": "http://www.securityfocus.com/bid/69453" }, { "name": "http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9201.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9201.patch" }, { "name": "61412", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/61412" } ] } } } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-3609", "datePublished": "2014-09-11T18:00:00", "dateReserved": "2014-05-14T00:00:00", "dateUpdated": "2024-08-06T10:50:17.607Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2012-2213
Vulnerability from cvelistv5
Published
2012-04-28 10:00
Modified
2024-09-16 22:19
Severity ?
EPSS score ?
Summary
Squid 3.1.9 allows remote attackers to bypass the access configuration for the CONNECT method by providing an arbitrary allowed hostname in the Host HTTP header. NOTE: this issue might not be reproducible, because the researcher is unable to provide a squid.conf file for a vulnerable system, and the observed behavior is consistent with a squid.conf file that was (perhaps inadvertently) designed to allow access based on a "req_header Host" acl regex that matches www.uol.com.br
References
▼ | URL | Tags |
---|---|---|
http://archives.neohapsis.com/archives/bugtraq/2012-04/0146.html | mailing-list, x_refsource_BUGTRAQ | |
http://archives.neohapsis.com/archives/bugtraq/2012-04/0163.html | mailing-list, x_refsource_BUGTRAQ | |
http://archives.neohapsis.com/archives/bugtraq/2012-04/0131.html | mailing-list, x_refsource_BUGTRAQ | |
http://archives.neohapsis.com/archives/bugtraq/2012-04/0165.html | mailing-list, x_refsource_BUGTRAQ | |
http://archives.neohapsis.com/archives/bugtraq/2012-04/0117.html | mailing-list, x_refsource_BUGTRAQ | |
http://archives.neohapsis.com/archives/bugtraq/2012-04/0140.html | mailing-list, x_refsource_BUGTRAQ |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T19:26:08.988Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "20120419 RE: Squid URL Filtering Bypass", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0146.html" }, { "name": "20120420 Re: Squid URL Filtering Bypass", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0163.html" }, { "name": "20120418 Re: Squid URL Filtering Bypass", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0131.html" }, { "name": "20120421 Re: Squid URL Filtering Bypass", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0165.html" }, { "name": "20120416 Squid URL Filtering Bypass", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0117.html" }, { "name": "20120419 Re: Squid URL Filtering Bypass", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0140.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "Squid 3.1.9 allows remote attackers to bypass the access configuration for the CONNECT method by providing an arbitrary allowed hostname in the Host HTTP header. NOTE: this issue might not be reproducible, because the researcher is unable to provide a squid.conf file for a vulnerable system, and the observed behavior is consistent with a squid.conf file that was (perhaps inadvertently) designed to allow access based on a \"req_header Host\" acl regex that matches www.uol.com.br" } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2012-04-28T10:00:00Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "20120419 RE: Squid URL Filtering Bypass", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0146.html" }, { "name": "20120420 Re: Squid URL Filtering Bypass", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0163.html" }, { "name": "20120418 Re: Squid URL Filtering Bypass", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0131.html" }, { "name": "20120421 Re: Squid URL Filtering Bypass", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0165.html" }, { "name": "20120416 Squid URL Filtering Bypass", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0117.html" }, { "name": "20120419 Re: Squid URL Filtering Bypass", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0140.html" } ], "tags": [ "disputed" ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2012-2213", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "** DISPUTED ** Squid 3.1.9 allows remote attackers to bypass the access configuration for the CONNECT method by providing an arbitrary allowed hostname in the Host HTTP header. NOTE: this issue might not be reproducible, because the researcher is unable to provide a squid.conf file for a vulnerable system, and the observed behavior is consistent with a squid.conf file that was (perhaps inadvertently) designed to allow access based on a \"req_header Host\" acl regex that matches www.uol.com.br." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "20120419 RE: Squid URL Filtering Bypass", "refsource": "BUGTRAQ", "url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0146.html" }, { "name": "20120420 Re: Squid URL Filtering Bypass", "refsource": "BUGTRAQ", "url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0163.html" }, { "name": "20120418 Re: Squid URL Filtering Bypass", "refsource": "BUGTRAQ", "url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0131.html" }, { "name": "20120421 Re: Squid URL Filtering Bypass", "refsource": "BUGTRAQ", "url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0165.html" }, { "name": "20120416 Squid URL Filtering Bypass", "refsource": "BUGTRAQ", "url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0117.html" }, { "name": "20120419 Re: Squid URL Filtering Bypass", "refsource": "BUGTRAQ", "url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0140.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2012-2213", "datePublished": "2012-04-28T10:00:00Z", "dateReserved": "2012-04-06T00:00:00Z", "dateUpdated": "2024-09-16T22:19:37.657Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-5824
Vulnerability from cvelistv5
Published
2023-11-03 07:56
Modified
2024-10-24 17:54
Severity ?
EPSS score ?
Summary
Squid: dos against http and https
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/errata/RHSA-2023:7465 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2023:7668 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:0072 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:0397 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:0771 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:0772 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:0773 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2024:1153 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/security/cve/CVE-2023-5824 | vdb-entry, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=2245914 | issue-tracking, x_refsource_REDHAT | |
https://github.com/squid-cache/squid/security/advisories/GHSA-543m-w2m2-g255 |
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T08:14:24.068Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2023:7465", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:7465" }, { "name": "RHSA-2023:7668", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:7668" }, { "name": "RHSA-2024:0072", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:0072" }, { "name": "RHSA-2024:0397", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:0397" }, { "name": "RHSA-2024:0771", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:0771" }, { "name": "RHSA-2024:0772", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:0772" }, { "name": "RHSA-2024:0773", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:0773" }, { "name": "RHSA-2024:1153", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2024:1153" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2023-5824" }, { "name": "RHBZ#2245914", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245914" }, { "tags": [ "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-543m-w2m2-g255" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20231130-0003/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:8::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8090020231130092412.a75119d5", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_e4s:8.2::appstream", "cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/a:redhat:rhel_tus:8.2::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8020020240122164331.4cda2c84", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_e4s:8.2::appstream", "cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/a:redhat:rhel_tus:8.2::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8020020240122164331.4cda2c84", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_e4s:8.2::appstream", "cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/a:redhat:rhel_tus:8.2::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8020020240122164331.4cda2c84", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_tus:8.4::appstream", "cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8040020240122165847.522a0ee4", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_tus:8.4::appstream", "cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8040020240122165847.522a0ee4", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_tus:8.4::appstream", "cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8040020240122165847.522a0ee4", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_eus:8.6::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8.6 Extended Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8060020231222131040.ad008a3a", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_eus:8.8::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8.8 Extended Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8080020231222130009.63b34585", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "packageName": "squid", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "7:5.5-6.el9_3.2", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_eus:9.0::appstream" ], "defaultStatus": "affected", "packageName": "squid", "product": "Red Hat Enterprise Linux 9.0 Extended Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "7:5.2-1.el9_0.4", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_eus:9.2::appstream" ], "defaultStatus": "affected", "packageName": "squid", "product": "Red Hat Enterprise Linux 9.2 Extended Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "7:5.5-5.el9_2.3", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:6" ], "defaultStatus": "affected", "packageName": "squid", "product": "Red Hat Enterprise Linux 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:7" ], "defaultStatus": "affected", "packageName": "squid", "product": "Red Hat Enterprise Linux 7", "vendor": "Red Hat" } ], "datePublic": "2023-10-19T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "A flaw was found in Squid. The limits applied for validation of HTTP response headers are applied before caching. However, Squid may grow a cached HTTP response header beyond the configured maximum size, causing a stall or crash of the worker process when a large header is retrieved from the disk cache, resulting in a denial of service." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-755", "description": "Improper Handling of Exceptional Conditions", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-24T17:54:45.081Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2023:7465", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:7465" }, { "name": "RHSA-2023:7668", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:7668" }, { "name": "RHSA-2024:0072", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:0072" }, { "name": "RHSA-2024:0397", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:0397" }, { "name": "RHSA-2024:0771", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:0771" }, { "name": "RHSA-2024:0772", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:0772" }, { "name": "RHSA-2024:0773", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:0773" }, { "name": "RHSA-2024:1153", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2024:1153" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2023-5824" }, { "name": "RHBZ#2245914", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245914" }, { "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-543m-w2m2-g255" } ], "timeline": [ { "lang": "en", "time": "2023-10-24T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2023-10-19T00:00:00+00:00", "value": "Made public." } ], "title": "Squid: dos against http and https", "workarounds": [ { "lang": "en", "value": "Disabling the disk caching mechanism will mitigate this vulnerability. To achieve this, remove all the \u0027cache_dir\u0027 directives from the Squid configuration, typically in the /etc/squid/squid.conf file." } ], "x_redhatCweChain": "CWE-755: Improper Handling of Exceptional Conditions" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2023-5824", "datePublished": "2023-11-03T07:56:36.369Z", "dateReserved": "2023-10-27T09:37:47.593Z", "dateUpdated": "2024-10-24T17:54:45.081Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2016-4556
Vulnerability from cvelistv5
Published
2016-05-10 19:00
Modified
2024-08-06 00:32
Severity ?
EPSS score ?
Summary
Double free vulnerability in Esi.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via a crafted Edge Side Includes (ESI) response.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T00:32:25.755Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_9.patch" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_9.patch" }, { "name": "USN-2995-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "name": "[oss-security] 20160506 Re: CVE Request: Squid HTTP caching proxy", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2016/05/06/5" }, { "name": "RHSA-2016:1140", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2016:1140" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "1035770", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1035770" }, { "name": "RHSA-2016:1138", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2016:1138" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_9.txt" }, { "name": "RHSA-2016:1139", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2016:1139" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "[oss-security] 20160506 CVE Request: Squid HTTP caching proxy", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2016/05/06/3" }, { "name": "DSA-3625", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2016/dsa-3625" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2016-05-06T00:00:00", "descriptions": [ { "lang": "en", "value": "Double free vulnerability in Esi.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via a crafted Edge Side Includes (ESI) response." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2016-11-28T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_9.patch" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_9.patch" }, { "name": "USN-2995-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "name": "[oss-security] 20160506 Re: CVE Request: Squid HTTP caching proxy", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2016/05/06/5" }, { "name": "RHSA-2016:1140", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2016:1140" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "1035770", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1035770" }, { "name": "RHSA-2016:1138", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2016:1138" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_9.txt" }, { "name": "RHSA-2016:1139", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2016:1139" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "[oss-security] 20160506 CVE Request: Squid HTTP caching proxy", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2016/05/06/3" }, { "name": "DSA-3625", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2016/dsa-3625" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-4556", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Double free vulnerability in Esi.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via a crafted Edge Side Includes (ESI) response." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "GLSA-201607-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201607-01" }, { "name": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_9.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_9.patch" }, { "name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "name": "SUSE-SU-2016:1996", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_9.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_9.patch" }, { "name": "USN-2995-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "name": "[oss-security] 20160506 Re: CVE Request: Squid HTTP caching proxy", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/05/06/5" }, { "name": "RHSA-2016:1140", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:1140" }, { "name": "openSUSE-SU-2016:2081", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "1035770", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1035770" }, { "name": "RHSA-2016:1138", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:1138" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2016_9.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2016_9.txt" }, { "name": "RHSA-2016:1139", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:1139" }, { "name": "SUSE-SU-2016:2089", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "[oss-security] 20160506 CVE Request: Squid HTTP caching proxy", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/05/06/3" }, { "name": "DSA-3625", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3625" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-4556", "datePublished": "2016-05-10T19:00:00", "dateReserved": "2016-05-06T00:00:00", "dateUpdated": "2024-08-06T00:32:25.755Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-18679
Vulnerability from cvelistv5
Published
2019-11-26 16:14
Modified
2024-08-05 02:02
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid 2.x, 3.x, and 4.x through 4.8. Due to incorrect data management, it is vulnerable to information disclosure when processing HTTP Digest Authentication. Nonce tokens contain the raw byte value of a pointer that sits within heap memory allocation. This information reduces ASLR protections and may aid attackers isolating memory areas to target for remote code execution attacks.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T02:02:39.623Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/pull/491" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156324" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2019_11.txt" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch" }, { "name": "USN-4213-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4213-1/" }, { "name": "FEDORA-2019-0b16cbdd0e", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/" }, { "name": "FEDORA-2019-9538783033", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/" }, { "name": "[debian-lts-announce] 20191210 [SECURITY] [DLA 2028-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html" }, { "name": "GLSA-202003-34", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202003-34" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid 2.x, 3.x, and 4.x through 4.8. Due to incorrect data management, it is vulnerable to information disclosure when processing HTTP Digest Authentication. Nonce tokens contain the raw byte value of a pointer that sits within heap memory allocation. This information reduces ASLR protections and may aid attackers isolating memory areas to target for remote code execution attacks." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-07-10T23:06:12", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/pull/491" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156324" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2019_11.txt" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch" }, { "name": "USN-4213-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4213-1/" }, { "name": "FEDORA-2019-0b16cbdd0e", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/" }, { "name": "FEDORA-2019-9538783033", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/" }, { "name": "[debian-lts-announce] 20191210 [SECURITY] [DLA 2028-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html" }, { "name": "GLSA-202003-34", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202003-34" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-18679", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid 2.x, 3.x, and 4.x through 4.8. Due to incorrect data management, it is vulnerable to information disclosure when processing HTTP Digest Authentication. Nonce tokens contain the raw byte value of a pointer that sits within heap memory allocation. This information reduces ASLR protections and may aid attackers isolating memory areas to target for remote code execution attacks." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/squid-cache/squid/pull/491", "refsource": "MISC", "url": "https://github.com/squid-cache/squid/pull/491" }, { "name": "https://bugzilla.suse.com/show_bug.cgi?id=1156324", "refsource": "CONFIRM", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156324" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2019_11.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2019_11.txt" }, { "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch" }, { "name": "USN-4213-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4213-1/" }, { "name": "FEDORA-2019-0b16cbdd0e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/" }, { "name": "FEDORA-2019-9538783033", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/" }, { "name": "[debian-lts-announce] 20191210 [SECURITY] [DLA 2028-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html" }, { "name": "GLSA-202003-34", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-34" }, { "name": "DSA-4682", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-18679", "datePublished": "2019-11-26T16:14:03", "dateReserved": "2019-11-04T00:00:00", "dateUpdated": "2024-08-05T02:02:39.623Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-41611
Vulnerability from cvelistv5
Published
2021-10-18 08:56
Modified
2024-08-04 03:15
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid 5.0.6 through 5.1.x before 5.2. When validating an origin server or peer certificate, Squid may incorrectly classify certain certificates as trusted. This problem allows a remote server to obtain security trust well improperly. This indication of trust may be passed along to clients, allowing access to unsafe or hijacked services.
References
▼ | URL | Tags |
---|---|---|
http://www.squid-cache.org/Versions/v6/changesets/squid-6-43d6b5c81b88ec2256b430c69a872a1e4f324e4a.patch | x_refsource_MISC | |
https://github.com/squid-cache/squid/security/advisories/GHSA-47m4-g3mv-9q5r | x_refsource_CONFIRM | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CWQ2WKDWTSO47S3F6XJJ6HGG2ULWEAE4/ | vendor-advisory, x_refsource_FEDORA | |
http://www.openwall.com/lists/oss-security/2021/12/23/2 | mailing-list, x_refsource_MLIST |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T03:15:29.048Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v6/changesets/squid-6-43d6b5c81b88ec2256b430c69a872a1e4f324e4a.patch" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-47m4-g3mv-9q5r" }, { "name": "FEDORA-2021-15d2f70a07", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CWQ2WKDWTSO47S3F6XJJ6HGG2ULWEAE4/" }, { "name": "[oss-security] 20211223 CVE-2021-44273: e2guardian did not validate TLS hostnames", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2021/12/23/2" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid 5.0.6 through 5.1.x before 5.2. When validating an origin server or peer certificate, Squid may incorrectly classify certain certificates as trusted. This problem allows a remote server to obtain security trust well improperly. This indication of trust may be passed along to clients, allowing access to unsafe or hijacked services." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-12-23T21:06:11", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v6/changesets/squid-6-43d6b5c81b88ec2256b430c69a872a1e4f324e4a.patch" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-47m4-g3mv-9q5r" }, { "name": "FEDORA-2021-15d2f70a07", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CWQ2WKDWTSO47S3F6XJJ6HGG2ULWEAE4/" }, { "name": "[oss-security] 20211223 CVE-2021-44273: e2guardian did not validate TLS hostnames", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2021/12/23/2" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-41611", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid 5.0.6 through 5.1.x before 5.2. When validating an origin server or peer certificate, Squid may incorrectly classify certain certificates as trusted. This problem allows a remote server to obtain security trust well improperly. This indication of trust may be passed along to clients, allowing access to unsafe or hijacked services." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Versions/v6/changesets/squid-6-43d6b5c81b88ec2256b430c69a872a1e4f324e4a.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v6/changesets/squid-6-43d6b5c81b88ec2256b430c69a872a1e4f324e4a.patch" }, { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-47m4-g3mv-9q5r", "refsource": "CONFIRM", "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-47m4-g3mv-9q5r" }, { "name": "FEDORA-2021-15d2f70a07", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWQ2WKDWTSO47S3F6XJJ6HGG2ULWEAE4/" }, { "name": "[oss-security] 20211223 CVE-2021-44273: e2guardian did not validate TLS hostnames", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/12/23/2" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-41611", "datePublished": "2021-10-18T08:56:16", "dateReserved": "2021-09-25T00:00:00", "dateUpdated": "2024-08-04T03:15:29.048Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-49286
Vulnerability from cvelistv5
Published
2023-12-04 22:53
Modified
2024-08-02 21:53
Severity ?
EPSS score ?
Summary
Denial of Service in Helper Process management
References
Impacted products
▼ | Vendor | Product |
---|---|---|
squid-cache | squid |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T21:53:45.223Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-xggx-9329-3c27", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-xggx-9329-3c27" }, { "name": "https://github.com/squid-cache/squid/commit/6014c6648a2a54a4ecb7f952ea1163e0798f9264", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/commit/6014c6648a2a54a4ecb7f952ea1163e0798f9264" }, { "name": "http://www.squid-cache.org/Versions/v6/SQUID-2023_8.patch", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v6/SQUID-2023_8.patch" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20240119-0004/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "squid", "vendor": "squid-cache", "versions": [ { "status": "affected", "version": "\u003c 6.5" } ] } ], "descriptions": [ { "lang": "en", "value": "Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Incorrect Check of Function Return Value bug Squid is vulnerable to a Denial of Service attack against its Helper process management. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-617", "description": "CWE-617: Reachable Assertion", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-253", "description": "CWE-253: Incorrect Check of Function Return Value", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-12-04T22:53:44.827Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-xggx-9329-3c27", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-xggx-9329-3c27" }, { "name": "https://github.com/squid-cache/squid/commit/6014c6648a2a54a4ecb7f952ea1163e0798f9264", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/commit/6014c6648a2a54a4ecb7f952ea1163e0798f9264" }, { "name": "http://www.squid-cache.org/Versions/v6/SQUID-2023_8.patch", "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v6/SQUID-2023_8.patch" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/" }, { "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html" }, { "url": "https://security.netapp.com/advisory/ntap-20240119-0004/" } ], "source": { "advisory": "GHSA-xggx-9329-3c27", "discovery": "UNKNOWN" }, "title": "Denial of Service in Helper Process management" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-49286", "datePublished": "2023-12-04T22:53:44.827Z", "dateReserved": "2023-11-24T16:45:24.312Z", "dateUpdated": "2024-08-02T21:53:45.223Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2016-10003
Vulnerability from cvelistv5
Published
2017-01-27 17:00
Modified
2024-08-06 03:07
Severity ?
EPSS score ?
Summary
Incorrect HTTP Request header comparison in Squid HTTP Proxy 3.5.0.1 through 3.5.22, and 4.0.1 through 4.0.16 results in Collapsed Forwarding feature mistakenly identifying some private responses as being suitable for delivery to multiple clients.
References
▼ | URL | Tags |
---|---|---|
http://www.openwall.com/lists/oss-security/2016/12/18/1 | mailing-list, x_refsource_MLIST | |
http://www.securitytracker.com/id/1037512 | vdb-entry, x_refsource_SECTRACK | |
http://www.securityfocus.com/bid/94953 | vdb-entry, x_refsource_BID | |
http://www.squid-cache.org/Advisories/SQUID-2016_10.txt | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T03:07:31.873Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "[oss-security] 20161217 Re: CVE Request - squid HTTP proxy multiple Information Disclosure issues", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2016/12/18/1" }, { "name": "1037512", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1037512" }, { "name": "94953", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/94953" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_10.txt" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2016-12-17T00:00:00", "descriptions": [ { "lang": "en", "value": "Incorrect HTTP Request header comparison in Squid HTTP Proxy 3.5.0.1 through 3.5.22, and 4.0.1 through 4.0.16 results in Collapsed Forwarding feature mistakenly identifying some private responses as being suitable for delivery to multiple clients." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-01-27T16:57:02", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "[oss-security] 20161217 Re: CVE Request - squid HTTP proxy multiple Information Disclosure issues", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2016/12/18/1" }, { "name": "1037512", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1037512" }, { "name": "94953", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/94953" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_10.txt" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-10003", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Incorrect HTTP Request header comparison in Squid HTTP Proxy 3.5.0.1 through 3.5.22, and 4.0.1 through 4.0.16 results in Collapsed Forwarding feature mistakenly identifying some private responses as being suitable for delivery to multiple clients." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "[oss-security] 20161217 Re: CVE Request - squid HTTP proxy multiple Information Disclosure issues", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/12/18/1" }, { "name": "1037512", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1037512" }, { "name": "94953", "refsource": "BID", "url": "http://www.securityfocus.com/bid/94953" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2016_10.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2016_10.txt" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-10003", "datePublished": "2017-01-27T17:00:00", "dateReserved": "2016-12-17T00:00:00", "dateUpdated": "2024-08-06T03:07:31.873Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2015-3455
Vulnerability from cvelistv5
Published
2015-05-18 15:00
Modified
2024-08-06 05:47
Severity ?
EPSS score ?
Summary
Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, and 3.5.x before 3.5.4, when configured with client-first SSL-bump, do not properly validate the domain or hostname fields of X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate.
References
▼ | URL | Tags |
---|---|---|
http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183598.html | vendor-advisory, x_refsource_FEDORA | |
http://rhn.redhat.com/errata/RHSA-2015-2378.html | vendor-advisory, x_refsource_REDHAT | |
http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html | x_refsource_CONFIRM | |
http://lists.opensuse.org/opensuse-updates/2015-09/msg00016.html | vendor-advisory, x_refsource_SUSE | |
http://www.securityfocus.com/bid/74438 | vdb-entry, x_refsource_BID | |
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html | x_refsource_CONFIRM | |
http://www.securitytracker.com/id/1032221 | vdb-entry, x_refsource_SECTRACK | |
http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html | vendor-advisory, x_refsource_SUSE | |
http://advisories.mageia.org/MGASA-2015-0191.html | x_refsource_CONFIRM | |
http://www.mandriva.com/security/advisories?name=MDVSA-2015:230 | vendor-advisory, x_refsource_MANDRIVA | |
http://www.squid-cache.org/Advisories/SQUID-2015_1.txt | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T05:47:57.745Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "FEDORA-2016-7b40eb9e29", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183598.html" }, { "name": "RHSA-2015:2378", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-2378.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html" }, { "name": "openSUSE-SU-2015:1546", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00016.html" }, { "name": "74438", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/74438" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html" }, { "name": "1032221", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1032221" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://advisories.mageia.org/MGASA-2015-0191.html" }, { "name": "MDVSA-2015:230", "tags": [ "vendor-advisory", "x_refsource_MANDRIVA", "x_transferred" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:230" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2015_1.txt" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2015-05-01T00:00:00", "descriptions": [ { "lang": "en", "value": "Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, and 3.5.x before 3.5.4, when configured with client-first SSL-bump, do not properly validate the domain or hostname fields of X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2016-12-20T16:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "FEDORA-2016-7b40eb9e29", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183598.html" }, { "name": "RHSA-2015:2378", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2015-2378.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html" }, { "name": "openSUSE-SU-2015:1546", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00016.html" }, { "name": "74438", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/74438" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html" }, { "name": "1032221", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1032221" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://advisories.mageia.org/MGASA-2015-0191.html" }, { "name": "MDVSA-2015:230", "tags": [ "vendor-advisory", "x_refsource_MANDRIVA" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:230" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2015_1.txt" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-3455", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, and 3.5.x before 3.5.4, when configured with client-first SSL-bump, do not properly validate the domain or hostname fields of X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "FEDORA-2016-7b40eb9e29", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183598.html" }, { "name": "RHSA-2015:2378", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-2378.html" }, { "name": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html" }, { "name": "openSUSE-SU-2015:1546", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2015-09/msg00016.html" }, { "name": "74438", "refsource": "BID", "url": "http://www.securityfocus.com/bid/74438" }, { "name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html" }, { "name": "1032221", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1032221" }, { "name": "openSUSE-SU-2016:2081", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "http://advisories.mageia.org/MGASA-2015-0191.html", "refsource": "CONFIRM", "url": "http://advisories.mageia.org/MGASA-2015-0191.html" }, { "name": "MDVSA-2015:230", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:230" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2015_1.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2015_1.txt" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-3455", "datePublished": "2015-05-18T15:00:00", "dateReserved": "2015-04-29T00:00:00", "dateUpdated": "2024-08-06T05:47:57.745Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2014-6270
Vulnerability from cvelistv5
Published
2014-09-12 14:00
Modified
2024-08-06 12:10
Severity ?
EPSS score ?
Summary
Off-by-one error in the snmpHandleUdp function in snmp_core.cc in Squid 2.x and 3.x, when an SNMP port is configured, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted UDP SNMP request, which triggers a heap-based buffer overflow.
References
▼ | URL | Tags |
---|---|---|
https://exchange.xforce.ibmcloud.com/vulnerabilities/95873 | vdb-entry, x_refsource_XF | |
https://security.gentoo.org/glsa/201607-01 | vendor-advisory, x_refsource_GENTOO | |
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html | vendor-advisory, x_refsource_SUSE | |
http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html | x_refsource_CONFIRM | |
https://bugzilla.redhat.com/show_bug.cgi?id=1139967 | x_refsource_CONFIRM | |
http://seclists.org/oss-sec/2014/q3/542 | mailing-list, x_refsource_MLIST | |
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html | vendor-advisory, x_refsource_SUSE | |
https://bugzilla.novell.com/show_bug.cgi?id=895773 | x_refsource_CONFIRM | |
http://seclists.org/oss-sec/2014/q3/550 | mailing-list, x_refsource_MLIST | |
http://www.ubuntu.com/usn/USN-2921-1 | vendor-advisory, x_refsource_UBUNTU | |
http://www.securityfocus.com/bid/69686 | vdb-entry, x_refsource_BID |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T12:10:13.341Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "squid-cve20146270-bo(95873)", "tags": [ "vdb-entry", "x_refsource_XF", "x_transferred" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/95873" }, { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1139967" }, { "name": "[oss-security] 20140909 CVE-Request: squid snmp off-by-one", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://seclists.org/oss-sec/2014/q3/542" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.novell.com/show_bug.cgi?id=895773" }, { "name": "[oss-security] 20140909 Re: CVE-Request: squid snmp off-by-one", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://seclists.org/oss-sec/2014/q3/550" }, { "name": "USN-2921-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-2921-1" }, { "name": "69686", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/69686" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2014-09-09T00:00:00", "descriptions": [ { "lang": "en", "value": "Off-by-one error in the snmpHandleUdp function in snmp_core.cc in Squid 2.x and 3.x, when an SNMP port is configured, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted UDP SNMP request, which triggers a heap-based buffer overflow." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-09-07T15:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "squid-cve20146270-bo(95873)", "tags": [ "vdb-entry", "x_refsource_XF" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/95873" }, { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1139967" }, { "name": "[oss-security] 20140909 CVE-Request: squid snmp off-by-one", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://seclists.org/oss-sec/2014/q3/542" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.novell.com/show_bug.cgi?id=895773" }, { "name": "[oss-security] 20140909 Re: CVE-Request: squid snmp off-by-one", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://seclists.org/oss-sec/2014/q3/550" }, { "name": "USN-2921-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-2921-1" }, { "name": "69686", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/69686" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-6270", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Off-by-one error in the snmpHandleUdp function in snmp_core.cc in Squid 2.x and 3.x, when an SNMP port is configured, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted UDP SNMP request, which triggers a heap-based buffer overflow." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "squid-cve20146270-bo(95873)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/95873" }, { "name": "GLSA-201607-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201607-01" }, { "name": "SUSE-SU-2016:1996", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html" }, { "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1139967", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1139967" }, { "name": "[oss-security] 20140909 CVE-Request: squid snmp off-by-one", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q3/542" }, { "name": "SUSE-SU-2016:2089", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "https://bugzilla.novell.com/show_bug.cgi?id=895773", "refsource": "CONFIRM", "url": "https://bugzilla.novell.com/show_bug.cgi?id=895773" }, { "name": "[oss-security] 20140909 Re: CVE-Request: squid snmp off-by-one", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q3/550" }, { "name": "USN-2921-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2921-1" }, { "name": "69686", "refsource": "BID", "url": "http://www.securityfocus.com/bid/69686" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-6270", "datePublished": "2014-09-12T14:00:00", "dateReserved": "2014-09-09T00:00:00", "dateUpdated": "2024-08-06T12:10:13.341Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-12854
Vulnerability from cvelistv5
Published
2019-08-15 16:15
Modified
2024-08-04 23:32
Severity ?
EPSS score ?
Summary
Due to incorrect string termination, Squid cachemgr.cgi 4.0 through 4.7 may access unallocated memory. On systems with memory access protections, this can cause the CGI process to terminate unexpectedly, resulting in a denial of service for all clients using it.
References
▼ | URL | Tags |
---|---|---|
http://www.squid-cache.org/Advisories/SQUID-2019_1.txt | x_refsource_MISC | |
https://bugs.squid-cache.org/show_bug.cgi?id=4937 | x_refsource_MISC | |
http://www.squid-cache.org/Versions/v4/changesets/squid-4-2981a957716c61ff7e21eee1d7d6eb5a237e466d.patch | x_refsource_MISC | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/ | x_refsource_CONFIRM | |
https://www.debian.org/security/2019/dsa-4507 | vendor-advisory, x_refsource_DEBIAN | |
https://seclists.org/bugtraq/2019/Aug/42 | mailing-list, x_refsource_BUGTRAQ | |
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html | vendor-advisory, x_refsource_SUSE | |
https://usn.ubuntu.com/4213-1/ | vendor-advisory, x_refsource_UBUNTU |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:32:55.368Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2019_1.txt" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugs.squid-cache.org/show_bug.cgi?id=4937" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-2981a957716c61ff7e21eee1d7d6eb5a237e466d.patch" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/" }, { "name": "DSA-4507", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2019/dsa-4507" }, { "name": "20190825 [SECURITY] [DSA 4507-1] squid security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "https://seclists.org/bugtraq/2019/Aug/42" }, { "name": "openSUSE-SU-2019:2540", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html" }, { "name": "openSUSE-SU-2019:2541", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html" }, { "name": "USN-4213-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4213-1/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "Due to incorrect string termination, Squid cachemgr.cgi 4.0 through 4.7 may access unallocated memory. On systems with memory access protections, this can cause the CGI process to terminate unexpectedly, resulting in a denial of service for all clients using it." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-12-04T19:06:08", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2019_1.txt" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugs.squid-cache.org/show_bug.cgi?id=4937" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-2981a957716c61ff7e21eee1d7d6eb5a237e466d.patch" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/" }, { "name": "DSA-4507", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2019/dsa-4507" }, { "name": "20190825 [SECURITY] [DSA 4507-1] squid security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "https://seclists.org/bugtraq/2019/Aug/42" }, { "name": "openSUSE-SU-2019:2540", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html" }, { "name": "openSUSE-SU-2019:2541", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html" }, { "name": "USN-4213-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4213-1/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-12854", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Due to incorrect string termination, Squid cachemgr.cgi 4.0 through 4.7 may access unallocated memory. On systems with memory access protections, this can cause the CGI process to terminate unexpectedly, resulting in a denial of service for all clients using it." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Advisories/SQUID-2019_1.txt", "refsource": "MISC", "url": "http://www.squid-cache.org/Advisories/SQUID-2019_1.txt" }, { "name": "https://bugs.squid-cache.org/show_bug.cgi?id=4937", "refsource": "MISC", "url": "https://bugs.squid-cache.org/show_bug.cgi?id=4937" }, { "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-2981a957716c61ff7e21eee1d7d6eb5a237e466d.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-2981a957716c61ff7e21eee1d7d6eb5a237e466d.patch" }, { "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/", "refsource": "CONFIRM", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/" }, { "name": "DSA-4507", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2019/dsa-4507" }, { "name": "20190825 [SECURITY] [DSA 4507-1] squid security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Aug/42" }, { "name": "openSUSE-SU-2019:2540", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html" }, { "name": "openSUSE-SU-2019:2541", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html" }, { "name": "USN-4213-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4213-1/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-12854", "datePublished": "2019-08-15T16:15:23", "dateReserved": "2019-06-16T00:00:00", "dateUpdated": "2024-08-04T23:32:55.368Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-46847
Vulnerability from cvelistv5
Published
2023-11-03 07:58
Modified
2024-11-06 14:44
Severity ?
EPSS score ?
Summary
Squid: denial of service in http digest authentication
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T20:53:21.999Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2023:6266", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:6266" }, { "name": "RHSA-2023:6267", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:6267" }, { "name": "RHSA-2023:6268", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:6268" }, { "name": "RHSA-2023:6748", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:6748" }, { "name": "RHSA-2023:6801", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:6801" }, { "name": "RHSA-2023:6803", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:6803" }, { "name": "RHSA-2023:6804", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:6804" }, { "name": "RHSA-2023:6805", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:6805" }, { "name": "RHSA-2023:6810", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:6810" }, { "name": "RHSA-2023:6882", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:6882" }, { "name": "RHSA-2023:6884", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:6884" }, { "name": "RHSA-2023:7213", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:7213" }, { "name": "RHSA-2023:7576", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:7576" }, { "name": "RHSA-2023:7578", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:7578" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2023-46847" }, { "name": "RHBZ#2245916", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245916" }, { "tags": [ "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-phqj-m8gv-cq4g" }, { "tags": [ "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20231130-0002/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://github.com/squid-cache/squid", "defaultStatus": "unaffected", "packageName": "squid", "versions": [ { "lessThan": "6.4", "status": "affected", "version": "3.2.0.1", "versionType": "custom" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_els:6" ], "defaultStatus": "affected", "packageName": "squid34", "product": "Red Hat Enterprise Linux 6 Extended Lifecycle Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "7:3.4.14-15.el6_10.1", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_els:6" ], "defaultStatus": "affected", "packageName": "squid", "product": "Red Hat Enterprise Linux 6 Extended Lifecycle Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "7:3.1.23-24.el6_10.1", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:7::workstation", "cpe:/o:redhat:enterprise_linux:7::server" ], "defaultStatus": "affected", "packageName": "squid", "product": "Red Hat Enterprise Linux 7", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "7:3.5.20-17.el7_9.9", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_aus:7.6::server" ], "defaultStatus": "affected", "packageName": "squid", "product": "Red Hat Enterprise Linux 7.6 Advanced Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "7:3.5.20-12.el7_6.2", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:rhel_aus:7.7::server" ], "defaultStatus": "affected", "packageName": "squid", "product": "Red Hat Enterprise Linux 7.7 Advanced Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "7:3.5.20-13.el7_7.1", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:8::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8080020231030214932.63b34585", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:8::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8090020231030224841.a75119d5", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_e4s:8.1::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8010020231101141358.c27ad7f8", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_tus:8.2::appstream", "cpe:/a:redhat:rhel_e4s:8.2::appstream", "cpe:/a:redhat:rhel_aus:8.2::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8020020231101135052.4cda2c84", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_tus:8.2::appstream", "cpe:/a:redhat:rhel_e4s:8.2::appstream", "cpe:/a:redhat:rhel_aus:8.2::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8020020231101135052.4cda2c84", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_tus:8.2::appstream", "cpe:/a:redhat:rhel_e4s:8.2::appstream", "cpe:/a:redhat:rhel_aus:8.2::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8020020231101135052.4cda2c84", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_tus:8.4::appstream", "cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8040020231101101624.522a0ee4", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_tus:8.4::appstream", "cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8040020231101101624.522a0ee4", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_tus:8.4::appstream", "cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8040020231101101624.522a0ee4", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_eus:8.6::appstream" ], "defaultStatus": "affected", "packageName": "squid:4", "product": "Red Hat Enterprise Linux 8.6 Extended Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "8060020231031165747.ad008a3a", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "packageName": "squid", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "7:5.5-5.el9_2.1", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "packageName": "squid", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "7:5.5-6.el9_3.1", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_eus:9.0::appstream" ], "defaultStatus": "affected", "packageName": "squid", "product": "Red Hat Enterprise Linux 9.0 Extended Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "7:5.2-1.el9_0.3", "versionType": "rpm" } ] } ], "datePublic": "2023-10-19T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "Squid is vulnerable to a Denial of Service, where a remote attacker can perform buffer overflow attack by writing up to 2 MB of arbitrary data to heap memory when Squid is configured to accept HTTP Digest Authentication." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Critical" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-120", "description": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-06T14:44:14.392Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2023:6266", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:6266" }, { "name": "RHSA-2023:6267", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:6267" }, { "name": "RHSA-2023:6268", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:6268" }, { "name": "RHSA-2023:6748", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:6748" }, { "name": "RHSA-2023:6801", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:6801" }, { "name": "RHSA-2023:6803", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:6803" }, { "name": "RHSA-2023:6804", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:6804" }, { "name": "RHSA-2023:6805", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:6805" }, { "name": "RHSA-2023:6810", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:6810" }, { "name": "RHSA-2023:6882", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:6882" }, { "name": "RHSA-2023:6884", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:6884" }, { "name": "RHSA-2023:7213", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:7213" }, { "name": "RHSA-2023:7576", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:7576" }, { "name": "RHSA-2023:7578", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:7578" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2023-46847" }, { "name": "RHBZ#2245916", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245916" }, { "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-phqj-m8gv-cq4g" } ], "timeline": [ { "lang": "en", "time": "2023-10-24T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2023-10-19T00:00:00+00:00", "value": "Made public." } ], "title": "Squid: denial of service in http digest authentication", "x_redhatCweChain": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2023-46847", "datePublished": "2023-11-03T07:58:05.641Z", "dateReserved": "2023-10-27T08:36:38.158Z", "dateUpdated": "2024-11-06T14:44:14.392Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2010-2951
Vulnerability from cvelistv5
Published
2010-10-12 20:00
Modified
2024-08-07 02:55
Severity ?
EPSS score ?
Summary
dns_internal.cc in Squid 3.1.6, when IPv6 DNS resolution is not enabled, accesses an invalid socket during an IPv4 TCP DNS query, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via vectors that trigger an IPv4 DNS response with the TC bit set.
References
▼ | URL | Tags |
---|---|---|
http://www.openwall.com/lists/oss-security/2010/08/25/6 | mailing-list, x_refsource_MLIST | |
http://www.openwall.com/lists/oss-security/2010/08/24/7 | mailing-list, x_refsource_MLIST | |
http://bugs.squid-cache.org/show_bug.cgi?id=3009 | x_refsource_CONFIRM | |
http://marc.info/?l=squid-users&m=128263555724981&w=2 | mailing-list, x_refsource_MLIST | |
https://bugzilla.redhat.com/show_bug.cgi?id=626927 | x_refsource_CONFIRM | |
http://bugs.squid-cache.org/show_bug.cgi?id=3021 | x_refsource_CONFIRM | |
http://bazaar.launchpad.net/~squid/squid/3.1/revision/10072 | x_refsource_CONFIRM | |
http://bugs.gentoo.org/show_bug.cgi?id=334263 | x_refsource_CONFIRM | |
http://www.openwall.com/lists/oss-security/2010/08/24/6 | mailing-list, x_refsource_MLIST | |
http://www.openwall.com/lists/oss-security/2010/08/25/2 | mailing-list, x_refsource_MLIST | |
http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10072.patch | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-07T02:55:45.461Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "[oss-security] 20100825 Re: CVE Request -- Squid v3.1.6 -- DoS (crash) while processing large DNS replies with no IPv6 resolver present", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2010/08/25/6" }, { "name": "[oss-security] 20100825 Re: CVE Request -- Squid v3.1.6 -- DoS (crash) while processing large DNS replies with no IPv6 resolver present", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2010/08/24/7" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://bugs.squid-cache.org/show_bug.cgi?id=3009" }, { "name": "[squid-users] 20100824 Squid 3.1.7 is available", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://marc.info/?l=squid-users\u0026m=128263555724981\u0026w=2" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=626927" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://bugs.squid-cache.org/show_bug.cgi?id=3021" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://bazaar.launchpad.net/~squid/squid/3.1/revision/10072" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://bugs.gentoo.org/show_bug.cgi?id=334263" }, { "name": "[oss-security] 20100824 CVE Request -- Squid v3.1.6 -- DoS (crash) while processing large DNS replies with no IPv6 resolver present", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2010/08/24/6" }, { "name": "[oss-security] 20100825 Re: CVE Request -- Squid v3.1.6 -- DoS (crash) while processing large DNS replies with no IPv6 resolver present", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2010/08/25/2" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10072.patch" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "dns_internal.cc in Squid 3.1.6, when IPv6 DNS resolution is not enabled, accesses an invalid socket during an IPv4 TCP DNS query, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via vectors that trigger an IPv4 DNS response with the TC bit set." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2010-10-12T20:00:00Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "[oss-security] 20100825 Re: CVE Request -- Squid v3.1.6 -- DoS (crash) while processing large DNS replies with no IPv6 resolver present", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2010/08/25/6" }, { "name": "[oss-security] 20100825 Re: CVE Request -- Squid v3.1.6 -- DoS (crash) while processing large DNS replies with no IPv6 resolver present", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2010/08/24/7" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://bugs.squid-cache.org/show_bug.cgi?id=3009" }, { "name": "[squid-users] 20100824 Squid 3.1.7 is available", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://marc.info/?l=squid-users\u0026m=128263555724981\u0026w=2" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=626927" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://bugs.squid-cache.org/show_bug.cgi?id=3021" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://bazaar.launchpad.net/~squid/squid/3.1/revision/10072" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://bugs.gentoo.org/show_bug.cgi?id=334263" }, { "name": "[oss-security] 20100824 CVE Request -- Squid v3.1.6 -- DoS (crash) while processing large DNS replies with no IPv6 resolver present", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2010/08/24/6" }, { "name": "[oss-security] 20100825 Re: CVE Request -- Squid v3.1.6 -- DoS (crash) while processing large DNS replies with no IPv6 resolver present", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2010/08/25/2" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10072.patch" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2010-2951", "datePublished": "2010-10-12T20:00:00Z", "dateReserved": "2010-08-04T00:00:00Z", "dateUpdated": "2024-08-07T02:55:45.461Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2013-0189
Vulnerability from cvelistv5
Published
2013-02-08 20:00
Modified
2024-08-06 14:18
Severity ?
EPSS score ?
Summary
cachemgr.cgi in Squid 3.1.x and 3.2.x, possibly 3.1.22, 3.2.4, and other versions, allows remote attackers to cause a denial of service (resource consumption) via a crafted request. NOTE: this issue is due to an incorrect fix for CVE-2012-5643, possibly involving an incorrect order of arguments or incorrect comparison.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T14:18:09.426Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID-2012_1.patch" }, { "name": "DSA-2631", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2013/dsa-2631" }, { "name": "MDVSA-2013:129", "tags": [ "vendor-advisory", "x_refsource_MANDRIVA", "x_transferred" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:129" }, { "name": "USN-1713-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-1713-1" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://bazaar.launchpad.net/~squid/squid/3.2/revision/11744" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0029" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=887962#c9" }, { "name": "openSUSE-SU-2013:1443", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00032.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2012_1.patch" }, { "name": "[scm-commits] 20130125 [squid/f17] CVE-2013-0189: Incomplete fix for the CVE-2012-5643", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/scm-commits/2013-January/934637.html" }, { "name": "52024", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/52024" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://bazaar.launchpad.net/~squid/squid/3.2/revision/11743" }, { "name": "54839", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/54839" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "57646", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/57646" }, { "name": "openSUSE-SU-2013:1436", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00025.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=895972" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2013-01-16T00:00:00", "descriptions": [ { "lang": "en", "value": "cachemgr.cgi in Squid 3.1.x and 3.2.x, possibly 3.1.22, 3.2.4, and other versions, allows remote attackers to cause a denial of service (resource consumption) via a crafted request. NOTE: this issue is due to an incorrect fix for CVE-2012-5643, possibly involving an incorrect order of arguments or incorrect comparison." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2016-11-25T20:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID-2012_1.patch" }, { "name": "DSA-2631", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2013/dsa-2631" }, { "name": "MDVSA-2013:129", "tags": [ "vendor-advisory", "x_refsource_MANDRIVA" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:129" }, { "name": "USN-1713-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-1713-1" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://bazaar.launchpad.net/~squid/squid/3.2/revision/11744" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0029" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=887962#c9" }, { "name": "openSUSE-SU-2013:1443", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00032.html" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2012_1.patch" }, { "name": "[scm-commits] 20130125 [squid/f17] CVE-2013-0189: Incomplete fix for the CVE-2012-5643", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://lists.fedoraproject.org/pipermail/scm-commits/2013-January/934637.html" }, { "name": "52024", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/52024" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://bazaar.launchpad.net/~squid/squid/3.2/revision/11743" }, { "name": "54839", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/54839" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "57646", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/57646" }, { "name": "openSUSE-SU-2013:1436", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00025.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=895972" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-0189", "datePublished": "2013-02-08T20:00:00", "dateReserved": "2012-12-06T00:00:00", "dateUpdated": "2024-08-06T14:18:09.426Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-28662
Vulnerability from cvelistv5
Published
2021-05-27 00:00
Modified
2024-08-03 21:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid 4.x before 4.15 and 5.x before 5.0.6. If a remote server sends a certain response header over HTTP or HTTPS, there is a denial of service. This header can plausibly occur in benign network traffic.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T21:47:33.054Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-jjq6-mh2h-g39h" }, { "tags": [ "x_transferred" ], "url": "https://github.com/squid-cache/squid/commit/051824924c709bd6162a378f746fb859454c674e" }, { "tags": [ "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v6/changesets/squid-6-051824924c709bd6162a378f746fb859454c674e.patch" }, { "name": "DSA-4924", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-4924" }, { "name": "FEDORA-2021-c0bec55ec7", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/" }, { "name": "FEDORA-2021-24af72ff2c", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/" }, { "name": "[oss-security] 20231011 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/11/3" }, { "name": "20231016 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list", "x_transferred" ], "url": "http://seclists.org/fulldisclosure/2023/Oct/14" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid 4.x before 4.15 and 5.x before 5.0.6. If a remote server sends a certain response header over HTTP or HTTPS, there is a denial of service. This header can plausibly occur in benign network traffic." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-17T04:06:18.298369", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-jjq6-mh2h-g39h" }, { "url": "https://github.com/squid-cache/squid/commit/051824924c709bd6162a378f746fb859454c674e" }, { "url": "http://www.squid-cache.org/Versions/v6/changesets/squid-6-051824924c709bd6162a378f746fb859454c674e.patch" }, { "name": "DSA-4924", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2021/dsa-4924" }, { "name": "FEDORA-2021-c0bec55ec7", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/" }, { "name": "FEDORA-2021-24af72ff2c", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/" }, { "name": "[oss-security] 20231011 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/11/3" }, { "name": "20231016 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list" ], "url": "http://seclists.org/fulldisclosure/2023/Oct/14" } ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-28662", "datePublished": "2021-05-27T00:00:00", "dateReserved": "2021-03-18T00:00:00", "dateUpdated": "2024-08-03T21:47:33.054Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-12525
Vulnerability from cvelistv5
Published
2019-07-11 18:17
Modified
2024-08-04 23:24
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid 3.3.9 through 3.5.28 and 4.x through 4.7. When Squid is configured to use Digest authentication, it parses the header Proxy-Authorization. It searches for certain tokens such as domain, uri, and qop. Squid checks if this token's value starts with a quote and ends with one. If so, it performs a memcpy of its length minus 2. Squid never checks whether the value is just a single quote (which would satisfy its requirements), leading to a memcpy of its length minus 1.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:24:38.574Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/squid-cache/squid/commits/v4" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-7f73e9c5d17664b882ed32590e6af310c247f320.patch" }, { "name": "USN-4065-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4065-1/" }, { "name": "[debian-lts-announce] 20190720 [SECURITY] [DLA 1858-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00018.html" }, { "name": "USN-4065-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4065-2/" }, { "name": "FEDORA-2019-cb50bcc189", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/" }, { "name": "DSA-4507", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2019/dsa-4507" }, { "name": "20190825 [SECURITY] [DSA 4507-1] squid security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "https://seclists.org/bugtraq/2019/Aug/42" }, { "name": "openSUSE-SU-2019:2540", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html" }, { "name": "openSUSE-SU-2019:2541", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2019-06-19T00:00:00", "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid 3.3.9 through 3.5.28 and 4.x through 4.7. When Squid is configured to use Digest authentication, it parses the header Proxy-Authorization. It searches for certain tokens such as domain, uri, and qop. Squid checks if this token\u0027s value starts with a quote and ends with one. If so, it performs a memcpy of its length minus 2. Squid never checks whether the value is just a single quote (which would satisfy its requirements), leading to a memcpy of its length minus 1." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-07-10T23:06:18", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/squid-cache/squid/commits/v4" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-7f73e9c5d17664b882ed32590e6af310c247f320.patch" }, { "name": "USN-4065-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4065-1/" }, { "name": "[debian-lts-announce] 20190720 [SECURITY] [DLA 1858-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00018.html" }, { "name": "USN-4065-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4065-2/" }, { "name": "FEDORA-2019-cb50bcc189", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/" }, { "name": "DSA-4507", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2019/dsa-4507" }, { "name": "20190825 [SECURITY] [DSA 4507-1] squid security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "https://seclists.org/bugtraq/2019/Aug/42" }, { "name": "openSUSE-SU-2019:2540", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html" }, { "name": "openSUSE-SU-2019:2541", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-12525", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid 3.3.9 through 3.5.28 and 4.x through 4.7. When Squid is configured to use Digest authentication, it parses the header Proxy-Authorization. It searches for certain tokens such as domain, uri, and qop. Squid checks if this token\u0027s value starts with a quote and ends with one. If so, it performs a memcpy of its length minus 2. Squid never checks whether the value is just a single quote (which would satisfy its requirements), leading to a memcpy of its length minus 1." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Versions/v4/changesets/", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v4/changesets/" }, { "name": "https://github.com/squid-cache/squid/commits/v4", "refsource": "CONFIRM", "url": "https://github.com/squid-cache/squid/commits/v4" }, { "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-7f73e9c5d17664b882ed32590e6af310c247f320.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-7f73e9c5d17664b882ed32590e6af310c247f320.patch" }, { "name": "USN-4065-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4065-1/" }, { "name": "[debian-lts-announce] 20190720 [SECURITY] [DLA 1858-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00018.html" }, { "name": "USN-4065-2", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4065-2/" }, { "name": "FEDORA-2019-cb50bcc189", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/" }, { "name": "DSA-4507", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2019/dsa-4507" }, { "name": "20190825 [SECURITY] [DSA 4507-1] squid security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Aug/42" }, { "name": "openSUSE-SU-2019:2540", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html" }, { "name": "openSUSE-SU-2019:2541", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-12525", "datePublished": "2019-07-11T18:17:49", "dateReserved": "2019-06-02T00:00:00", "dateUpdated": "2024-08-04T23:24:38.574Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2014-7141
Vulnerability from cvelistv5
Published
2014-11-26 15:00
Modified
2024-08-06 12:40
Severity ?
EPSS score ?
Summary
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.
References
▼ | URL | Tags |
---|---|---|
http://www.squid-cache.org/Advisories/SQUID-2014_4.txt | x_refsource_CONFIRM | |
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html | vendor-advisory, x_refsource_SUSE | |
http://seclists.org/oss-sec/2014/q3/612 | mailing-list, x_refsource_MLIST | |
http://secunia.com/advisories/60242 | third-party-advisory, x_refsource_SECUNIA | |
https://bugzilla.novell.com/show_bug.cgi?id=891268 | x_refsource_CONFIRM | |
http://www.securityfocus.com/bid/69688 | vdb-entry, x_refsource_BID | |
http://seclists.org/oss-sec/2014/q3/539 | mailing-list, x_refsource_MLIST | |
http://ubuntu.com/usn/usn-2422-1 | vendor-advisory, x_refsource_UBUNTU | |
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html | vendor-advisory, x_refsource_SUSE | |
http://seclists.org/oss-sec/2014/q3/626 | mailing-list, x_refsource_MLIST |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T12:40:19.045Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2014_4.txt" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "[oss-security] 20140916 Re: CVE-Request: squid pinger remote DoS", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://seclists.org/oss-sec/2014/q3/612" }, { "name": "60242", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/60242" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.novell.com/show_bug.cgi?id=891268" }, { "name": "69688", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/69688" }, { "name": "[oss-security] 20140909 CVE-Request: squid pinger remote DoS", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://seclists.org/oss-sec/2014/q3/539" }, { "name": "USN-2422-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://ubuntu.com/usn/usn-2422-1" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "[oss-security] 20140922 Re: CVE-Request: squid pinger remote DoS", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://seclists.org/oss-sec/2014/q3/626" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2014-09-09T00:00:00", "descriptions": [ { "lang": "en", "value": "The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2016-11-25T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2014_4.txt" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "[oss-security] 20140916 Re: CVE-Request: squid pinger remote DoS", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://seclists.org/oss-sec/2014/q3/612" }, { "name": "60242", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/60242" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.novell.com/show_bug.cgi?id=891268" }, { "name": "69688", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/69688" }, { "name": "[oss-security] 20140909 CVE-Request: squid pinger remote DoS", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://seclists.org/oss-sec/2014/q3/539" }, { "name": "USN-2422-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://ubuntu.com/usn/usn-2422-1" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "[oss-security] 20140922 Re: CVE-Request: squid pinger remote DoS", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://seclists.org/oss-sec/2014/q3/626" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-7141", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Advisories/SQUID-2014_4.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2014_4.txt" }, { "name": "SUSE-SU-2016:1996", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "[oss-security] 20140916 Re: CVE-Request: squid pinger remote DoS", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q3/612" }, { "name": "60242", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/60242" }, { "name": "https://bugzilla.novell.com/show_bug.cgi?id=891268", "refsource": "CONFIRM", "url": "https://bugzilla.novell.com/show_bug.cgi?id=891268" }, { "name": "69688", "refsource": "BID", "url": "http://www.securityfocus.com/bid/69688" }, { "name": "[oss-security] 20140909 CVE-Request: squid pinger remote DoS", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q3/539" }, { "name": "USN-2422-1", "refsource": "UBUNTU", "url": "http://ubuntu.com/usn/usn-2422-1" }, { "name": "SUSE-SU-2016:2089", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "[oss-security] 20140922 Re: CVE-Request: squid pinger remote DoS", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q3/626" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-7141", "datePublished": "2014-11-26T15:00:00", "dateReserved": "2014-09-22T00:00:00", "dateUpdated": "2024-08-06T12:40:19.045Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2018-19132
Vulnerability from cvelistv5
Published
2018-11-09 11:00
Modified
2024-08-05 11:30
Severity ?
EPSS score ?
Summary
Squid before 4.4, when SNMP is enabled, allows a denial of service (Memory Leak) via an SNMP packet.
References
▼ | URL | Tags |
---|---|---|
https://github.com/squid-cache/squid/pull/313 | x_refsource_MISC | |
http://www.squid-cache.org/Versions/v5/changesets/squid-5-644131ff1e00c1895d77561f561d29c104ba6b11.patch | x_refsource_MISC | |
http://www.squid-cache.org/Advisories/SQUID-2018_5.txt | x_refsource_MISC | |
https://lists.debian.org/debian-lts-announce/2018/11/msg00032.html | mailing-list, x_refsource_MLIST | |
https://usn.ubuntu.com/4059-1/ | vendor-advisory, x_refsource_UBUNTU | |
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html | mailing-list, x_refsource_MLIST |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T11:30:03.999Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/pull/313" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-644131ff1e00c1895d77561f561d29c104ba6b11.patch" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2018_5.txt" }, { "name": "[debian-lts-announce] 20181126 [SECURITY] [DLA 1596-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00032.html" }, { "name": "USN-4059-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4059-1/" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2018-11-09T00:00:00", "descriptions": [ { "lang": "en", "value": "Squid before 4.4, when SNMP is enabled, allows a denial of service (Memory Leak) via an SNMP packet." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-07-10T23:06:18", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/pull/313" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-644131ff1e00c1895d77561f561d29c104ba6b11.patch" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2018_5.txt" }, { "name": "[debian-lts-announce] 20181126 [SECURITY] [DLA 1596-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00032.html" }, { "name": "USN-4059-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4059-1/" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-19132", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Squid before 4.4, when SNMP is enabled, allows a denial of service (Memory Leak) via an SNMP packet." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/squid-cache/squid/pull/313", "refsource": "MISC", "url": "https://github.com/squid-cache/squid/pull/313" }, { "name": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-644131ff1e00c1895d77561f561d29c104ba6b11.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-644131ff1e00c1895d77561f561d29c104ba6b11.patch" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2018_5.txt", "refsource": "MISC", "url": "http://www.squid-cache.org/Advisories/SQUID-2018_5.txt" }, { "name": "[debian-lts-announce] 20181126 [SECURITY] [DLA 1596-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00032.html" }, { "name": "USN-4059-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4059-1/" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-19132", "datePublished": "2018-11-09T11:00:00", "dateReserved": "2018-11-09T00:00:00", "dateUpdated": "2024-08-05T11:30:03.999Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2015-0881
Vulnerability from cvelistv5
Published
2015-02-20 11:00
Modified
2024-08-06 04:26
Severity ?
EPSS score ?
Summary
CRLF injection vulnerability in Squid before 3.1.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted header in a response.
References
▼ | URL | Tags |
---|---|---|
http://jvndb.jvn.jp/jvndb/JVNDB-2015-000019 | third-party-advisory, x_refsource_JVNDB | |
http://jvn.jp/en/jp/JVN64455813/index.html | third-party-advisory, x_refsource_JVN |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T04:26:11.206Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "JVNDB-2015-000019", "tags": [ "third-party-advisory", "x_refsource_JVNDB", "x_transferred" ], "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000019" }, { "name": "JVN#64455813", "tags": [ "third-party-advisory", "x_refsource_JVN", "x_transferred" ], "url": "http://jvn.jp/en/jp/JVN64455813/index.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2015-02-20T00:00:00", "descriptions": [ { "lang": "en", "value": "CRLF injection vulnerability in Squid before 3.1.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted header in a response." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2015-03-02T09:57:00", "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert" }, "references": [ { "name": "JVNDB-2015-000019", "tags": [ "third-party-advisory", "x_refsource_JVNDB" ], "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000019" }, { "name": "JVN#64455813", "tags": [ "third-party-advisory", "x_refsource_JVN" ], "url": "http://jvn.jp/en/jp/JVN64455813/index.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "vultures@jpcert.or.jp", "ID": "CVE-2015-0881", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "CRLF injection vulnerability in Squid before 3.1.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted header in a response." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "JVNDB-2015-000019", "refsource": "JVNDB", "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000019" }, { "name": "JVN#64455813", "refsource": "JVN", "url": "http://jvn.jp/en/jp/JVN64455813/index.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "cveId": "CVE-2015-0881", "datePublished": "2015-02-20T11:00:00", "dateReserved": "2015-01-08T00:00:00", "dateUpdated": "2024-08-06T04:26:11.206Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-12519
Vulnerability from cvelistv5
Published
2020-04-15 19:20
Modified
2024-08-04 23:24
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid through 4.7. When handling the tag esi:when when ESI is enabled, Squid calls ESIExpression::Evaluate. This function uses a fixed stack buffer to hold the expression while it's being evaluated. When processing the expression, it could either evaluate the top of the stack, or add a new member to the stack. When adding a new member, there is no check to ensure that the stack won't overflow.
References
▼ | URL | Tags |
---|---|---|
https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12519.txt | x_refsource_MISC | |
http://www.openwall.com/lists/oss-security/2020/04/23/1 | mailing-list, x_refsource_MLIST | |
https://www.debian.org/security/2020/dsa-4682 | vendor-advisory, x_refsource_DEBIAN | |
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html | vendor-advisory, x_refsource_SUSE | |
https://security.gentoo.org/glsa/202005-05 | vendor-advisory, x_refsource_GENTOO | |
https://usn.ubuntu.com/4356-1/ | vendor-advisory, x_refsource_UBUNTU | |
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html | mailing-list, x_refsource_MLIST | |
https://security.netapp.com/advisory/ntap-20210205-0006/ | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:24:37.851Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12519.txt" }, { "name": "[oss-security] 20200423 [ADVISORY] SQUID-2019:12 Multiple issues in ESI Response processing", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2020/04/23/1" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "openSUSE-SU-2020:0623", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html" }, { "name": "GLSA-202005-05", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202005-05" }, { "name": "USN-4356-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4356-1/" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210205-0006/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid through 4.7. When handling the tag esi:when when ESI is enabled, Squid calls ESIExpression::Evaluate. This function uses a fixed stack buffer to hold the expression while it\u0027s being evaluated. When processing the expression, it could either evaluate the top of the stack, or add a new member to the stack. When adding a new member, there is no check to ensure that the stack won\u0027t overflow." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-02-05T11:06:15", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12519.txt" }, { "name": "[oss-security] 20200423 [ADVISORY] SQUID-2019:12 Multiple issues in ESI Response processing", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2020/04/23/1" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "openSUSE-SU-2020:0623", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html" }, { "name": "GLSA-202005-05", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202005-05" }, { "name": "USN-4356-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4356-1/" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210205-0006/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-12519", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid through 4.7. When handling the tag esi:when when ESI is enabled, Squid calls ESIExpression::Evaluate. This function uses a fixed stack buffer to hold the expression while it\u0027s being evaluated. When processing the expression, it could either evaluate the top of the stack, or add a new member to the stack. When adding a new member, there is no check to ensure that the stack won\u0027t overflow." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12519.txt", "refsource": "MISC", "url": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12519.txt" }, { "name": "[oss-security] 20200423 [ADVISORY] SQUID-2019:12 Multiple issues in ESI Response processing", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2020/04/23/1" }, { "name": "DSA-4682", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "openSUSE-SU-2020:0623", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html" }, { "name": "GLSA-202005-05", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202005-05" }, { "name": "USN-4356-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4356-1/" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "name": "https://security.netapp.com/advisory/ntap-20210205-0006/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210205-0006/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-12519", "datePublished": "2020-04-15T19:20:41", "dateReserved": "2019-06-02T00:00:00", "dateUpdated": "2024-08-04T23:24:37.851Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-28652
Vulnerability from cvelistv5
Published
2021-05-27 00:00
Modified
2024-08-03 21:47
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to incorrect parser validation, it allows a Denial of Service attack against the Cache Manager API. This allows a trusted client to trigger memory leaks that. over time, lead to a Denial of Service via an unspecified short query string. This attack is limited to clients with Cache Manager API access privilege.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T21:47:33.045Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://bugs.squid-cache.org/show_bug.cgi?id=5106" }, { "tags": [ "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-m47m-9hvw-7447" }, { "name": "DSA-4924", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-4924" }, { "name": "FEDORA-2021-c0bec55ec7", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/" }, { "name": "FEDORA-2021-24af72ff2c", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/" }, { "name": "[debian-lts-announce] 20210614 [SECURITY] [DLA 2685-1] squid3 security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html" }, { "name": "[oss-security] 20231011 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/11/3" }, { "name": "20231016 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list", "x_transferred" ], "url": "http://seclists.org/fulldisclosure/2023/Oct/14" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to incorrect parser validation, it allows a Denial of Service attack against the Cache Manager API. This allows a trusted client to trigger memory leaks that. over time, lead to a Denial of Service via an unspecified short query string. This attack is limited to clients with Cache Manager API access privilege." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-17T04:06:13.161891", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://bugs.squid-cache.org/show_bug.cgi?id=5106" }, { "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-m47m-9hvw-7447" }, { "name": "DSA-4924", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2021/dsa-4924" }, { "name": "FEDORA-2021-c0bec55ec7", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/" }, { "name": "FEDORA-2021-24af72ff2c", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/" }, { "name": "[debian-lts-announce] 20210614 [SECURITY] [DLA 2685-1] squid3 security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html" }, { "name": "[oss-security] 20231011 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/11/3" }, { "name": "20231016 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list" ], "url": "http://seclists.org/fulldisclosure/2023/Oct/14" } ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-28652", "datePublished": "2021-05-27T00:00:00", "dateReserved": "2021-03-17T00:00:00", "dateUpdated": "2024-08-03T21:47:33.045Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-46724
Vulnerability from cvelistv5
Published
2023-11-01 19:09
Modified
2024-09-05 20:13
Severity ?
EPSS score ?
Summary
SQUID-2023:4 Denial of Service in SSL Certificate validation
References
Impacted products
▼ | Vendor | Product |
---|---|---|
squid-cache | squid |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T20:53:20.863Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-73m6-jm96-c6r3", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-73m6-jm96-c6r3" }, { "name": "https://github.com/squid-cache/squid/commit/b70f864940225dfe69f9f653f948e787f99c3810", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/commit/b70f864940225dfe69f9f653f948e787f99c3810" }, { "name": "http://www.squid-cache.org/Versions/v5/SQUID-2023_4.patch", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v5/SQUID-2023_4.patch" }, { "name": "http://www.squid-cache.org/Versions/v6/SQUID-2023_4.patch", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v6/SQUID-2023_4.patch" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20231208-0001/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2023-46724", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-09-05T20:13:11.511935Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-09-05T20:13:29.792Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "squid", "vendor": "squid-cache", "versions": [ { "status": "affected", "version": "\u003e= 3.3.0.1, \u003c 6.4" } ] } ], "descriptions": [ { "lang": "en", "value": " Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid\u0027s patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-129", "description": "CWE-129: Improper Validation of Array Index", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-786", "description": "CWE-786: Access of Memory Location Before Start of Buffer", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-823", "description": "CWE-823: Use of Out-of-range Pointer Offset", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-1285", "description": "CWE-1285: Improper Validation of Specified Index, Position, or Offset in Input", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-11-01T19:09:34.513Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-73m6-jm96-c6r3", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-73m6-jm96-c6r3" }, { "name": "https://github.com/squid-cache/squid/commit/b70f864940225dfe69f9f653f948e787f99c3810", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/commit/b70f864940225dfe69f9f653f948e787f99c3810" }, { "name": "http://www.squid-cache.org/Versions/v5/SQUID-2023_4.patch", "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v5/SQUID-2023_4.patch" }, { "name": "http://www.squid-cache.org/Versions/v6/SQUID-2023_4.patch", "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v6/SQUID-2023_4.patch" }, { "url": "https://security.netapp.com/advisory/ntap-20231208-0001/" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/" } ], "source": { "advisory": "GHSA-73m6-jm96-c6r3", "discovery": "UNKNOWN" }, "title": "SQUID-2023:4 Denial of Service in SSL Certificate validation" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-46724", "datePublished": "2023-11-01T19:09:34.513Z", "dateReserved": "2023-10-25T14:30:33.751Z", "dateUpdated": "2024-09-05T20:13:29.792Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-25097
Vulnerability from cvelistv5
Published
2021-03-19 04:08
Modified
2024-08-04 15:26
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace configuration settings.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T15:26:09.610Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_11.patch" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v5/changesets/SQUID-2020_11.patch" }, { "name": "DSA-4873", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-4873" }, { "name": "FEDORA-2021-ecb24e0b9d", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DJMDRVV677AJL4BZAOLCT5LMFCGBZTC2/" }, { "name": "FEDORA-2021-7d86bec29e", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FBXFWKIGXPERDVQXG556LLPUOCMQGERC/" }, { "name": "FEDORA-2021-76f09062a7", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O3RYBDMJCPYGOSURWDR3WJTE474UFT77/" }, { "name": "GLSA-202105-14", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202105-14" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210727-0010/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace configuration settings." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-07-27T15:06:31", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_11.patch" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v5/changesets/SQUID-2020_11.patch" }, { "name": "DSA-4873", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2021/dsa-4873" }, { "name": "FEDORA-2021-ecb24e0b9d", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DJMDRVV677AJL4BZAOLCT5LMFCGBZTC2/" }, { "name": "FEDORA-2021-7d86bec29e", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FBXFWKIGXPERDVQXG556LLPUOCMQGERC/" }, { "name": "FEDORA-2021-76f09062a7", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O3RYBDMJCPYGOSURWDR3WJTE474UFT77/" }, { "name": "GLSA-202105-14", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202105-14" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210727-0010/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-25097", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace configuration settings." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6", "refsource": "MISC", "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6" }, { "name": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_11.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_11.patch" }, { "name": "http://www.squid-cache.org/Versions/v5/changesets/SQUID-2020_11.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v5/changesets/SQUID-2020_11.patch" }, { "name": "DSA-4873", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4873" }, { "name": "FEDORA-2021-ecb24e0b9d", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DJMDRVV677AJL4BZAOLCT5LMFCGBZTC2/" }, { "name": "FEDORA-2021-7d86bec29e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FBXFWKIGXPERDVQXG556LLPUOCMQGERC/" }, { "name": "FEDORA-2021-76f09062a7", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3RYBDMJCPYGOSURWDR3WJTE474UFT77/" }, { "name": "GLSA-202105-14", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202105-14" }, { "name": "https://security.netapp.com/advisory/ntap-20210727-0010/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210727-0010/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-25097", "datePublished": "2021-03-19T04:08:54", "dateReserved": "2020-09-03T00:00:00", "dateUpdated": "2024-08-04T15:26:09.610Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-45802
Vulnerability from cvelistv5
Published
2024-10-28 14:36
Modified
2024-10-28 14:48
Severity ?
EPSS score ?
Summary
Squid Denial of Service
References
▼ | URL | Tags |
---|---|---|
https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj | x_refsource_CONFIRM |
Impacted products
▼ | Vendor | Product |
---|---|---|
squid-cache | squid |
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:squid-cache:squid:3.0:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "squid", "vendor": "squid-cache", "versions": [ { "lessThan": "6.10", "status": "affected", "version": "3.0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-45802", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-10-28T14:47:34.303324Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-28T14:48:42.415Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "squid", "vendor": "squid-cache", "versions": [ { "status": "affected", "version": "\u003e= 3.0, \u003c 6.10" } ] } ], "descriptions": [ { "lang": "en", "value": "Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to Input Validation, Premature Release of Resource During Expected Lifetime, and Missing Release of Resource after Effective Lifetime bugs, Squid is vulnerable to Denial of Service attacks by a trusted server against all clients using the proxy. This bug is fixed in the default build configuration of Squid version 6.10." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-28T14:36:13.297Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj" } ], "source": { "advisory": "GHSA-f975-v7qw-q7hj", "discovery": "UNKNOWN" }, "title": "Squid Denial of Service" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-45802", "datePublished": "2024-10-28T14:36:13.297Z", "dateReserved": "2024-09-09T14:23:07.504Z", "dateUpdated": "2024-10-28T14:48:42.415Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-12527
Vulnerability from cvelistv5
Published
2019-07-11 18:10
Modified
2024-08-04 23:24
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid 4.0.23 through 4.7. When checking Basic Authentication with HttpHeader::getAuth, Squid uses a global buffer to store the decoded data. Squid does not check that the decoded length isn't greater than the buffer, leading to a heap-based buffer overflow with user controlled data.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:24:38.676Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/squid-cache/squid/commits/v4" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-7f73e9c5d17664b882ed32590e6af310c247f320.patch" }, { "name": "109143", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/109143" }, { "name": "USN-4065-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4065-1/" }, { "name": "FEDORA-2019-cb50bcc189", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/" }, { "name": "DSA-4507", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2019/dsa-4507" }, { "name": "20190825 [SECURITY] [DSA 4507-1] squid security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "https://seclists.org/bugtraq/2019/Aug/42" }, { "name": "RHSA-2019:2593", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:2593" }, { "name": "openSUSE-SU-2019:2540", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html" }, { "name": "openSUSE-SU-2019:2541", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2019-06-19T00:00:00", "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid 4.0.23 through 4.7. When checking Basic Authentication with HttpHeader::getAuth, Squid uses a global buffer to store the decoded data. Squid does not check that the decoded length isn\u0027t greater than the buffer, leading to a heap-based buffer overflow with user controlled data." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-11-21T18:07:08", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/squid-cache/squid/commits/v4" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-7f73e9c5d17664b882ed32590e6af310c247f320.patch" }, { "name": "109143", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/109143" }, { "name": "USN-4065-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4065-1/" }, { "name": "FEDORA-2019-cb50bcc189", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/" }, { "name": "DSA-4507", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2019/dsa-4507" }, { "name": "20190825 [SECURITY] [DSA 4507-1] squid security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "https://seclists.org/bugtraq/2019/Aug/42" }, { "name": "RHSA-2019:2593", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:2593" }, { "name": "openSUSE-SU-2019:2540", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html" }, { "name": "openSUSE-SU-2019:2541", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-12527", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid 4.0.23 through 4.7. When checking Basic Authentication with HttpHeader::getAuth, Squid uses a global buffer to store the decoded data. Squid does not check that the decoded length isn\u0027t greater than the buffer, leading to a heap-based buffer overflow with user controlled data." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Versions/v4/changesets/", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v4/changesets/" }, { "name": "https://github.com/squid-cache/squid/commits/v4", "refsource": "CONFIRM", "url": "https://github.com/squid-cache/squid/commits/v4" }, { "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-7f73e9c5d17664b882ed32590e6af310c247f320.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-7f73e9c5d17664b882ed32590e6af310c247f320.patch" }, { "name": "109143", "refsource": "BID", "url": "http://www.securityfocus.com/bid/109143" }, { "name": "USN-4065-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4065-1/" }, { "name": "FEDORA-2019-cb50bcc189", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/" }, { "name": "DSA-4507", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2019/dsa-4507" }, { "name": "20190825 [SECURITY] [DSA 4507-1] squid security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Aug/42" }, { "name": "RHSA-2019:2593", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2593" }, { "name": "openSUSE-SU-2019:2540", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html" }, { "name": "openSUSE-SU-2019:2541", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-12527", "datePublished": "2019-07-11T18:10:16", "dateReserved": "2019-06-02T00:00:00", "dateUpdated": "2024-08-04T23:24:38.676Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-49288
Vulnerability from cvelistv5
Published
2023-12-04 22:49
Modified
2024-10-15 17:38
Severity ?
EPSS score ?
Summary
Denial of Service in HTTP Collapsed Forwarding in Squid
References
Impacted products
▼ | Vendor | Product |
---|---|---|
squid-cache | squid |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T21:53:44.876Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-rj5h-46j6-q2g5", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-rj5h-46j6-q2g5" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20240119-0006/" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2023-49288", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-10-15T17:28:35.294191Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-15T17:38:43.439Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "squid", "vendor": "squid-cache", "versions": [ { "status": "affected", "version": "\u003e= 3.5, \u003c 6.0.1" } ] } ], "descriptions": [ { "lang": "en", "value": "Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Affected versions of squid are subject to a a Use-After-Free bug which can lead to a Denial of Service attack via collapsed forwarding. All versions of Squid from 3.5 up to and including 5.9 configured with \"collapsed_forwarding on\" are vulnerable. Configurations with \"collapsed_forwarding off\" or without a \"collapsed_forwarding\" directive are not vulnerable. This bug is fixed by Squid version 6.0.1. Users are advised to upgrade. Users unable to upgrade should remove all collapsed_forwarding lines from their squid.conf." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-416", "description": "CWE-416: Use After Free", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-12-04T22:49:31.317Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-rj5h-46j6-q2g5", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-rj5h-46j6-q2g5" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/" }, { "url": "https://security.netapp.com/advisory/ntap-20240119-0006/" } ], "source": { "advisory": "GHSA-rj5h-46j6-q2g5", "discovery": "UNKNOWN" }, "title": "Denial of Service in HTTP Collapsed Forwarding in Squid" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-49288", "datePublished": "2023-12-04T22:49:31.317Z", "dateReserved": "2023-11-24T16:45:24.312Z", "dateUpdated": "2024-10-15T17:38:43.439Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-11945
Vulnerability from cvelistv5
Published
2020-04-23 14:16
Modified
2024-08-04 11:42
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid before 5.0.2. A remote attacker can replay a sniffed Digest Authentication nonce to gain access to resources that are otherwise forbidden. This occurs because the attacker can overflow the nonce reference counter (a short integer). Remote code execution may occur if the pooled token credentials are freed (instead of replayed as valid credentials).
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T11:42:00.741Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patch" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://master.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patch" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/pull/585" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/commit/eeebf0f37a72a2de08348e85ae34b02c34e9a811" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2020/04/23/2" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1170313" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "openSUSE-SU-2020:0623", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html" }, { "name": "GLSA-202005-05", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202005-05" }, { "name": "FEDORA-2020-848065cc4c", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4FWQRYZJPHAZBLXJ56FPCHJN5X2FP3VA/" }, { "name": "FEDORA-2020-a6a921a591", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RV2VZWFJNO3B56IVN56HHKJASG5DYUIX/" }, { "name": "FEDORA-2020-56e809930e", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4MWXEZAJSOGRJSS2JCJK4WBSND4IV46/" }, { "name": "USN-4356-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4356-1/" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210304-0004/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid before 5.0.2. A remote attacker can replay a sniffed Digest Authentication nonce to gain access to resources that are otherwise forbidden. This occurs because the attacker can overflow the nonce reference counter (a short integer). Remote code execution may occur if the pooled token credentials are freed (instead of replayed as valid credentials)." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-03-04T12:06:30", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patch" }, { "tags": [ "x_refsource_MISC" ], "url": "http://master.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patch" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/pull/585" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/commit/eeebf0f37a72a2de08348e85ae34b02c34e9a811" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.openwall.com/lists/oss-security/2020/04/23/2" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1170313" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "openSUSE-SU-2020:0623", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html" }, { "name": "GLSA-202005-05", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202005-05" }, { "name": "FEDORA-2020-848065cc4c", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4FWQRYZJPHAZBLXJ56FPCHJN5X2FP3VA/" }, { "name": "FEDORA-2020-a6a921a591", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RV2VZWFJNO3B56IVN56HHKJASG5DYUIX/" }, { "name": "FEDORA-2020-56e809930e", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4MWXEZAJSOGRJSS2JCJK4WBSND4IV46/" }, { "name": "USN-4356-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4356-1/" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210304-0004/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-11945", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid before 5.0.2. A remote attacker can replay a sniffed Digest Authentication nonce to gain access to resources that are otherwise forbidden. This occurs because the attacker can overflow the nonce reference counter (a short integer). Remote code execution may occur if the pooled token credentials are freed (instead of replayed as valid credentials)." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patch" }, { "name": "http://master.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patch", "refsource": "MISC", "url": "http://master.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patch" }, { "name": "https://github.com/squid-cache/squid/pull/585", "refsource": "MISC", "url": "https://github.com/squid-cache/squid/pull/585" }, { "name": "https://github.com/squid-cache/squid/commit/eeebf0f37a72a2de08348e85ae34b02c34e9a811", "refsource": "MISC", "url": "https://github.com/squid-cache/squid/commit/eeebf0f37a72a2de08348e85ae34b02c34e9a811" }, { "name": "http://www.openwall.com/lists/oss-security/2020/04/23/2", "refsource": "CONFIRM", "url": "http://www.openwall.com/lists/oss-security/2020/04/23/2" }, { "name": "https://bugzilla.suse.com/show_bug.cgi?id=1170313", "refsource": "CONFIRM", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1170313" }, { "name": "DSA-4682", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "openSUSE-SU-2020:0623", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html" }, { "name": "GLSA-202005-05", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202005-05" }, { "name": "FEDORA-2020-848065cc4c", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4FWQRYZJPHAZBLXJ56FPCHJN5X2FP3VA/" }, { "name": "FEDORA-2020-a6a921a591", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RV2VZWFJNO3B56IVN56HHKJASG5DYUIX/" }, { "name": "FEDORA-2020-56e809930e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4MWXEZAJSOGRJSS2JCJK4WBSND4IV46/" }, { "name": "USN-4356-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4356-1/" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "name": "https://security.netapp.com/advisory/ntap-20210304-0004/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210304-0004/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-11945", "datePublished": "2020-04-23T14:16:55", "dateReserved": "2020-04-20T00:00:00", "dateUpdated": "2024-08-04T11:42:00.741Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2011-3205
Vulnerability from cvelistv5
Published
2011-09-06 15:00
Modified
2024-08-06 23:29
Severity ?
EPSS score ?
Summary
Buffer overflow in the gopherToHTML function in gopher.cc in the Gopher reply parser in Squid 3.0 before 3.0.STABLE26, 3.1 before 3.1.15, and 3.2 before 3.2.0.11 allows remote Gopher servers to cause a denial of service (memory corruption and daemon restart) or possibly have unspecified other impact via a long line in a response. NOTE: This issue exists because of a CVE-2005-0094 regression.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T23:29:55.437Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2011:1293", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://www.redhat.com/support/errata/RHSA-2011-1293.html" }, { "name": "46029", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/46029" }, { "name": "45906", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/45906" }, { "name": "FEDORA-2011-11854", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065534.html" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "SUSE-SU-2011:1019", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2011-09/msg00013.html" }, { "name": "1025981", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://securitytracker.com/id?1025981" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9193.patch" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10363.patch" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v2/2.HEAD/changesets/12710.patch" }, { "name": "45965", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/45965" }, { "name": "45805", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/45805" }, { "name": "DSA-2304", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2011/dsa-2304" }, { "name": "[oss-security] 20110830 Re: CVE-request(?): squid: buffer overflow in Gopher reply parser", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://openwall.com/lists/oss-security/2011/08/30/8" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2011_3.txt" }, { "name": "openSUSE-SU-2011:1018", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2011-09/msg00012.html" }, { "name": "[oss-security] 20110829 CVE-request(?): squid: buffer overflow in Gopher reply parser", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://openwall.com/lists/oss-security/2011/08/29/2" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=734583" }, { "name": "[oss-security] 20110830 Re: CVE-request(?): squid: buffer overflow in Gopher reply parser", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://openwall.com/lists/oss-security/2011/08/30/4" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11294.patch" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "49356", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/49356" }, { "name": "74847", "tags": [ "vdb-entry", "x_refsource_OSVDB", "x_transferred" ], "url": "http://www.osvdb.org/74847" }, { "name": "45920", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/45920" }, { "name": "MDVSA-2011:150", "tags": [ "vendor-advisory", "x_refsource_MANDRIVA", "x_transferred" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:150" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2011-08-29T00:00:00", "descriptions": [ { "lang": "en", "value": "Buffer overflow in the gopherToHTML function in gopher.cc in the Gopher reply parser in Squid 3.0 before 3.0.STABLE26, 3.1 before 3.1.15, and 3.2 before 3.2.0.11 allows remote Gopher servers to cause a denial of service (memory corruption and daemon restart) or possibly have unspecified other impact via a long line in a response. NOTE: This issue exists because of a CVE-2005-0094 regression." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2016-11-25T20:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2011:1293", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://www.redhat.com/support/errata/RHSA-2011-1293.html" }, { "name": "46029", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/46029" }, { "name": "45906", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/45906" }, { "name": "FEDORA-2011-11854", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065534.html" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "SUSE-SU-2011:1019", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2011-09/msg00013.html" }, { "name": "1025981", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://securitytracker.com/id?1025981" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9193.patch" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10363.patch" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v2/2.HEAD/changesets/12710.patch" }, { "name": "45965", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/45965" }, { "name": "45805", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/45805" }, { "name": "DSA-2304", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2011/dsa-2304" }, { "name": "[oss-security] 20110830 Re: CVE-request(?): squid: buffer overflow in Gopher reply parser", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://openwall.com/lists/oss-security/2011/08/30/8" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2011_3.txt" }, { "name": "openSUSE-SU-2011:1018", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2011-09/msg00012.html" }, { "name": "[oss-security] 20110829 CVE-request(?): squid: buffer overflow in Gopher reply parser", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://openwall.com/lists/oss-security/2011/08/29/2" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=734583" }, { "name": "[oss-security] 20110830 Re: CVE-request(?): squid: buffer overflow in Gopher reply parser", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://openwall.com/lists/oss-security/2011/08/30/4" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11294.patch" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "49356", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/49356" }, { "name": "74847", "tags": [ "vdb-entry", "x_refsource_OSVDB" ], "url": "http://www.osvdb.org/74847" }, { "name": "45920", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/45920" }, { "name": "MDVSA-2011:150", "tags": [ "vendor-advisory", "x_refsource_MANDRIVA" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:150" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2011-3205", "datePublished": "2011-09-06T15:00:00", "dateReserved": "2011-08-19T00:00:00", "dateUpdated": "2024-08-06T23:29:55.437Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2016-4054
Vulnerability from cvelistv5
Published
2016-04-25 14:00
Modified
2024-08-06 00:17
Severity ?
EPSS score ?
Summary
Buffer overflow in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allows remote attackers to execute arbitrary code via crafted Edge Side Includes (ESI) responses.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T00:17:30.010Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_6.txt" }, { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "[oss-security] 20160421 CVE Request: Squid HTTP Caching Proxy multiple issues", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2016/04/20/6" }, { "name": "USN-2995-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "name": "RHSA-2016:1140", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2016:1140" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "RHSA-2016:1138", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2016:1138" }, { "name": "RHSA-2016:1139", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2016:1139" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "[oss-security] 20160420 Re: CVE Request: Squid HTTP Caching Proxy multiple issues", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2016/04/20/9" }, { "name": "1035647", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1035647" }, { "name": "DSA-3625", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2016/dsa-3625" }, { "name": "86788", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/86788" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2016-04-20T00:00:00", "descriptions": [ { "lang": "en", "value": "Buffer overflow in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allows remote attackers to execute arbitrary code via crafted Edge Side Includes (ESI) responses." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2016-11-28T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_6.txt" }, { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "[oss-security] 20160421 CVE Request: Squid HTTP Caching Proxy multiple issues", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2016/04/20/6" }, { "name": "USN-2995-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "name": "RHSA-2016:1140", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2016:1140" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "RHSA-2016:1138", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2016:1138" }, { "name": "RHSA-2016:1139", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2016:1139" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "[oss-security] 20160420 Re: CVE Request: Squid HTTP Caching Proxy multiple issues", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2016/04/20/9" }, { "name": "1035647", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1035647" }, { "name": "DSA-3625", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2016/dsa-3625" }, { "name": "86788", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/86788" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-4054", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Buffer overflow in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allows remote attackers to execute arbitrary code via crafted Edge Side Includes (ESI) responses." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Advisories/SQUID-2016_6.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2016_6.txt" }, { "name": "GLSA-201607-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201607-01" }, { "name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "name": "SUSE-SU-2016:1996", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "[oss-security] 20160421 CVE Request: Squid HTTP Caching Proxy multiple issues", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/04/20/6" }, { "name": "USN-2995-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "name": "RHSA-2016:1140", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:1140" }, { "name": "openSUSE-SU-2016:2081", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "RHSA-2016:1138", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:1138" }, { "name": "RHSA-2016:1139", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:1139" }, { "name": "SUSE-SU-2016:2089", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "[oss-security] 20160420 Re: CVE Request: Squid HTTP Caching Proxy multiple issues", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/04/20/9" }, { "name": "1035647", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1035647" }, { "name": "DSA-3625", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3625" }, { "name": "86788", "refsource": "BID", "url": "http://www.securityfocus.com/bid/86788" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-4054", "datePublished": "2016-04-25T14:00:00", "dateReserved": "2016-04-20T00:00:00", "dateUpdated": "2024-08-06T00:17:30.010Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-12520
Vulnerability from cvelistv5
Published
2020-04-15 19:14
Modified
2024-08-04 23:24
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid through 4.7 and 5. When receiving a request, Squid checks its cache to see if it can serve up a response. It does this by making a MD5 hash of the absolute URL of the request. If found, it servers the request. The absolute URL can include the decoded UserInfo (username and password) for certain protocols. This decoded info is prepended to the domain. This allows an attacker to provide a username that has special characters to delimit the domain, and treat the rest of the URL as a path or query string. An attacker could first make a request to their domain using an encoded username, then when a request for the target domain comes in that decodes to the exact URL, it will serve the attacker's HTML instead of the real HTML. On Squid servers that also act as reverse proxies, this allows an attacker to gain access to features that only reverse proxies can use, such as ESI.
References
▼ | URL | Tags |
---|---|---|
http://www.squid-cache.org/Versions/v4/ | x_refsource_MISC | |
http://www.squid-cache.org/Versions/v4/changesets/ | x_refsource_MISC | |
https://github.com/squid-cache/squid/commits/v4 | x_refsource_MISC | |
https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12520.txt | x_refsource_MISC | |
https://www.debian.org/security/2020/dsa-4682 | vendor-advisory, x_refsource_DEBIAN | |
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html | mailing-list, x_refsource_MLIST | |
https://usn.ubuntu.com/4446-1/ | vendor-advisory, x_refsource_UBUNTU | |
https://security.netapp.com/advisory/ntap-20210205-0006/ | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:24:38.487Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/commits/v4" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12520.txt" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "name": "USN-4446-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4446-1/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210205-0006/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid through 4.7 and 5. When receiving a request, Squid checks its cache to see if it can serve up a response. It does this by making a MD5 hash of the absolute URL of the request. If found, it servers the request. The absolute URL can include the decoded UserInfo (username and password) for certain protocols. This decoded info is prepended to the domain. This allows an attacker to provide a username that has special characters to delimit the domain, and treat the rest of the URL as a path or query string. An attacker could first make a request to their domain using an encoded username, then when a request for the target domain comes in that decodes to the exact URL, it will serve the attacker\u0027s HTML instead of the real HTML. On Squid servers that also act as reverse proxies, this allows an attacker to gain access to features that only reverse proxies can use, such as ESI." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-02-05T11:06:17", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v4/" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/commits/v4" }, { "tags": [ "x_refsource_MISC" ], "url": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12520.txt" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "name": "USN-4446-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4446-1/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210205-0006/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-12520", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid through 4.7 and 5. When receiving a request, Squid checks its cache to see if it can serve up a response. It does this by making a MD5 hash of the absolute URL of the request. If found, it servers the request. The absolute URL can include the decoded UserInfo (username and password) for certain protocols. This decoded info is prepended to the domain. This allows an attacker to provide a username that has special characters to delimit the domain, and treat the rest of the URL as a path or query string. An attacker could first make a request to their domain using an encoded username, then when a request for the target domain comes in that decodes to the exact URL, it will serve the attacker\u0027s HTML instead of the real HTML. On Squid servers that also act as reverse proxies, this allows an attacker to gain access to features that only reverse proxies can use, such as ESI." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Versions/v4/", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v4/" }, { "name": "http://www.squid-cache.org/Versions/v4/changesets/", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v4/changesets/" }, { "name": "https://github.com/squid-cache/squid/commits/v4", "refsource": "MISC", "url": "https://github.com/squid-cache/squid/commits/v4" }, { "name": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12520.txt", "refsource": "MISC", "url": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12520.txt" }, { "name": "DSA-4682", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "name": "USN-4446-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4446-1/" }, { "name": "https://security.netapp.com/advisory/ntap-20210205-0006/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210205-0006/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-12520", "datePublished": "2020-04-15T19:14:25", "dateReserved": "2019-06-02T00:00:00", "dateUpdated": "2024-08-04T23:24:38.487Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2010-0639
Vulnerability from cvelistv5
Published
2010-02-15 18:00
Modified
2024-08-07 00:52
Severity ?
EPSS score ?
Summary
The htcpHandleTstRequest function in htcp.c in Squid 2.x before 2.6.STABLE24 and 2.7 before 2.7.STABLE8, and htcp.cc in 3.0 before 3.0.STABLE24, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via crafted packets to the HTCP port.
References
▼ | URL | Tags |
---|---|---|
http://lists.fedoraproject.org/pipermail/package-announce/2010-March/037159.html | vendor-advisory, x_refsource_FEDORA | |
http://osvdb.org/62297 | vdb-entry, x_refsource_OSVDB | |
http://www.squid-cache.org/Advisories/SQUID-2010_2.txt | x_refsource_CONFIRM | |
http://www.vupen.com/english/advisories/2010/0371 | vdb-entry, x_refsource_VUPEN | |
http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035961.html | vendor-advisory, x_refsource_FEDORA | |
http://www.vupen.com/english/advisories/2010/0603 | vdb-entry, x_refsource_VUPEN | |
http://secunia.com/advisories/38812 | third-party-advisory, x_refsource_SECUNIA | |
http://www.squid-cache.org/Versions/v3/3.0/changesets/3.0-ADV-2010_2.patch | x_refsource_MISC | |
http://bugs.squid-cache.org/show_bug.cgi?id=2858 | x_refsource_MISC | |
http://www.securityfocus.com/bid/38212 | vdb-entry, x_refsource_BID | |
http://www.securitytracker.com/id?1023587 | vdb-entry, x_refsource_SECTRACK | |
http://www.squid-cache.org/Versions/v2/2.7/changesets/12600.patch | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-07T00:52:20.117Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "FEDORA-2010-2434", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-March/037159.html" }, { "name": "62297", "tags": [ "vdb-entry", "x_refsource_OSVDB", "x_transferred" ], "url": "http://osvdb.org/62297" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2010_2.txt" }, { "name": "ADV-2010-0371", "tags": [ "vdb-entry", "x_refsource_VUPEN", "x_transferred" ], "url": "http://www.vupen.com/english/advisories/2010/0371" }, { "name": "FEDORA-2010-3064", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035961.html" }, { "name": "ADV-2010-0603", "tags": [ "vdb-entry", "x_refsource_VUPEN", "x_transferred" ], "url": "http://www.vupen.com/english/advisories/2010/0603" }, { "name": "38812", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/38812" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.0/changesets/3.0-ADV-2010_2.patch" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://bugs.squid-cache.org/show_bug.cgi?id=2858" }, { "name": "38212", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/38212" }, { "name": "1023587", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id?1023587" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v2/2.7/changesets/12600.patch" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2010-02-12T00:00:00", "descriptions": [ { "lang": "en", "value": "The htcpHandleTstRequest function in htcp.c in Squid 2.x before 2.6.STABLE24 and 2.7 before 2.7.STABLE8, and htcp.cc in 3.0 before 3.0.STABLE24, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via crafted packets to the HTCP port." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2010-03-26T09:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "FEDORA-2010-2434", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-March/037159.html" }, { "name": "62297", "tags": [ "vdb-entry", "x_refsource_OSVDB" ], "url": "http://osvdb.org/62297" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2010_2.txt" }, { "name": "ADV-2010-0371", "tags": [ "vdb-entry", "x_refsource_VUPEN" ], "url": "http://www.vupen.com/english/advisories/2010/0371" }, { "name": "FEDORA-2010-3064", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035961.html" }, { "name": "ADV-2010-0603", "tags": [ "vdb-entry", "x_refsource_VUPEN" ], "url": "http://www.vupen.com/english/advisories/2010/0603" }, { "name": "38812", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/38812" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v3/3.0/changesets/3.0-ADV-2010_2.patch" }, { "tags": [ "x_refsource_MISC" ], "url": "http://bugs.squid-cache.org/show_bug.cgi?id=2858" }, { "name": "38212", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/38212" }, { "name": "1023587", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id?1023587" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v2/2.7/changesets/12600.patch" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2010-0639", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The htcpHandleTstRequest function in htcp.c in Squid 2.x before 2.6.STABLE24 and 2.7 before 2.7.STABLE8, and htcp.cc in 3.0 before 3.0.STABLE24, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via crafted packets to the HTCP port." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "FEDORA-2010-2434", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-March/037159.html" }, { "name": "62297", "refsource": "OSVDB", "url": "http://osvdb.org/62297" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2010_2.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2010_2.txt" }, { "name": "ADV-2010-0371", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2010/0371" }, { "name": "FEDORA-2010-3064", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035961.html" }, { "name": "ADV-2010-0603", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2010/0603" }, { "name": "38812", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/38812" }, { "name": "http://www.squid-cache.org/Versions/v3/3.0/changesets/3.0-ADV-2010_2.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v3/3.0/changesets/3.0-ADV-2010_2.patch" }, { "name": "http://bugs.squid-cache.org/show_bug.cgi?id=2858", "refsource": "MISC", "url": "http://bugs.squid-cache.org/show_bug.cgi?id=2858" }, { "name": "38212", "refsource": "BID", "url": "http://www.securityfocus.com/bid/38212" }, { "name": "1023587", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1023587" }, { "name": "http://www.squid-cache.org/Versions/v2/2.7/changesets/12600.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v2/2.7/changesets/12600.patch" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2010-0639", "datePublished": "2010-02-15T18:00:00", "dateReserved": "2010-02-15T00:00:00", "dateUpdated": "2024-08-07T00:52:20.117Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2018-1000024
Vulnerability from cvelistv5
Published
2018-02-09 23:00
Modified
2024-08-05 12:33
Severity ?
EPSS score ?
Summary
The Squid Software Foundation Squid HTTP Caching Proxy version 3.0 to 3.5.27, 4.0 to 4.0.22 contains a Incorrect Pointer Handling vulnerability in ESI Response Processing that can result in Denial of Service for all clients using the proxy.. This attack appear to be exploitable via Remote server delivers an HTTP response payload containing valid but unusual ESI syntax.. This vulnerability appears to have been fixed in 4.0.23 and later.
References
▼ | URL | Tags |
---|---|---|
https://usn.ubuntu.com/3557-1/ | vendor-advisory, x_refsource_UBUNTU | |
https://www.debian.org/security/2018/dsa-4122 | vendor-advisory, x_refsource_DEBIAN | |
http://www.squid-cache.org/Versions/ | x_refsource_MISC | |
https://lists.debian.org/debian-lts-announce/2018/02/msg00001.html | mailing-list, x_refsource_MLIST | |
http://www.squid-cache.org/Advisories/SQUID-2018_1.txt | x_refsource_CONFIRM | |
https://usn.ubuntu.com/4059-2/ | vendor-advisory, x_refsource_UBUNTU |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T12:33:48.901Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "USN-3557-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/3557-1/" }, { "name": "DSA-4122", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2018/dsa-4122" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/" }, { "name": "[debian-lts-announce] 20180202 [SECURITY] [DLA 1266-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00001.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2018_1.txt" }, { "name": "USN-4059-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4059-2/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "dateAssigned": "2018-01-15T00:00:00", "datePublic": "2018-01-19T00:00:00", "descriptions": [ { "lang": "en", "value": "The Squid Software Foundation Squid HTTP Caching Proxy version 3.0 to 3.5.27, 4.0 to 4.0.22 contains a Incorrect Pointer Handling vulnerability in ESI Response Processing that can result in Denial of Service for all clients using the proxy.. This attack appear to be exploitable via Remote server delivers an HTTP response payload containing valid but unusual ESI syntax.. This vulnerability appears to have been fixed in 4.0.23 and later." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-07-17T15:06:10", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "USN-3557-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/3557-1/" }, { "name": "DSA-4122", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2018/dsa-4122" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/" }, { "name": "[debian-lts-announce] 20180202 [SECURITY] [DLA 1266-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00001.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2018_1.txt" }, { "name": "USN-4059-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4059-2/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "1/15/2018 4:39:34", "ID": "CVE-2018-1000024", "REQUESTER": "squid3@treenet.co.nz", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The Squid Software Foundation Squid HTTP Caching Proxy version 3.0 to 3.5.27, 4.0 to 4.0.22 contains a Incorrect Pointer Handling vulnerability in ESI Response Processing that can result in Denial of Service for all clients using the proxy.. This attack appear to be exploitable via Remote server delivers an HTTP response payload containing valid but unusual ESI syntax.. This vulnerability appears to have been fixed in 4.0.23 and later." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "USN-3557-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3557-1/" }, { "name": "DSA-4122", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4122" }, { "name": "http://www.squid-cache.org/Versions/", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/" }, { "name": "[debian-lts-announce] 20180202 [SECURITY] [DLA 1266-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00001.html" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2018_1.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2018_1.txt" }, { "name": "USN-4059-2", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4059-2/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-1000024", "datePublished": "2018-02-09T23:00:00", "dateReserved": "2018-01-29T00:00:00", "dateUpdated": "2024-08-05T12:33:48.901Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-8449
Vulnerability from cvelistv5
Published
2020-02-04 19:50
Modified
2024-08-04 09:56
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid before 4.10. Due to incorrect input validation, it can interpret crafted HTTP requests in unexpected ways to access server resources prohibited by earlier security filters.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T09:56:28.402Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2020_1.txt" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-d8e4715992d0e530871519549add5519cbac0598.patch" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-8e657e835965c3a011375feaa0359921c5b3e2dd.patch" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-b3a0719affab099c684f1cd62b79ab02816fa962.patch" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_1.patch" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2020_1.patch" }, { "name": "USN-4289-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4289-1/" }, { "name": "openSUSE-SU-2020:0307", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00012.html" }, { "name": "GLSA-202003-34", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202003-34" }, { "name": "FEDORA-2020-ab8e7463ab", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G6W2IQ7QV2OGREFFUBNVZIDD3RJBDE4R/" }, { "name": "FEDORA-2020-790296a8f4", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TSU6SPANL27AGK5PCGBJOKG4LUWA555J/" }, { "name": "openSUSE-SU-2020:0606", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00010.html" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210304-0002/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid before 4.10. Due to incorrect input validation, it can interpret crafted HTTP requests in unexpected ways to access server resources prohibited by earlier security filters." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-03-04T12:06:27", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2020_1.txt" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-d8e4715992d0e530871519549add5519cbac0598.patch" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-8e657e835965c3a011375feaa0359921c5b3e2dd.patch" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-b3a0719affab099c684f1cd62b79ab02816fa962.patch" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_1.patch" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2020_1.patch" }, { "name": "USN-4289-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4289-1/" }, { "name": "openSUSE-SU-2020:0307", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00012.html" }, { "name": "GLSA-202003-34", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202003-34" }, { "name": "FEDORA-2020-ab8e7463ab", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G6W2IQ7QV2OGREFFUBNVZIDD3RJBDE4R/" }, { "name": "FEDORA-2020-790296a8f4", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TSU6SPANL27AGK5PCGBJOKG4LUWA555J/" }, { "name": "openSUSE-SU-2020:0606", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00010.html" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210304-0002/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-8449", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid before 4.10. Due to incorrect input validation, it can interpret crafted HTTP requests in unexpected ways to access server resources prohibited by earlier security filters." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Advisories/SQUID-2020_1.txt", "refsource": "MISC", "url": "http://www.squid-cache.org/Advisories/SQUID-2020_1.txt" }, { "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-d8e4715992d0e530871519549add5519cbac0598.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-d8e4715992d0e530871519549add5519cbac0598.patch" }, { "name": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-8e657e835965c3a011375feaa0359921c5b3e2dd.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-8e657e835965c3a011375feaa0359921c5b3e2dd.patch" }, { "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-b3a0719affab099c684f1cd62b79ab02816fa962.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-b3a0719affab099c684f1cd62b79ab02816fa962.patch" }, { "name": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_1.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_1.patch" }, { "name": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2020_1.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2020_1.patch" }, { "name": "USN-4289-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4289-1/" }, { "name": "openSUSE-SU-2020:0307", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00012.html" }, { "name": "GLSA-202003-34", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-34" }, { "name": "FEDORA-2020-ab8e7463ab", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G6W2IQ7QV2OGREFFUBNVZIDD3RJBDE4R/" }, { "name": "FEDORA-2020-790296a8f4", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TSU6SPANL27AGK5PCGBJOKG4LUWA555J/" }, { "name": "openSUSE-SU-2020:0606", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00010.html" }, { "name": "DSA-4682", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "name": "https://security.netapp.com/advisory/ntap-20210304-0002/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210304-0002/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-8449", "datePublished": "2020-02-04T19:50:21", "dateReserved": "2020-01-30T00:00:00", "dateUpdated": "2024-08-04T09:56:28.402Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-28116
Vulnerability from cvelistv5
Published
2021-03-09 21:44
Modified
2024-08-03 21:33
Severity ?
EPSS score ?
Summary
Squid through 4.14 and 5.x through 5.0.5, in some configurations, allows information disclosure because of an out-of-bounds read in WCCP protocol data. This can be leveraged as part of a chain for remote code execution as nobody.
References
▼ | URL | Tags |
---|---|---|
http://www.squid-cache.org/Versions/ | x_refsource_MISC | |
https://www.zerodayinitiative.com/advisories/ZDI-21-157/ | x_refsource_MISC | |
https://github.com/squid-cache/squid/security/advisories/GHSA-rgf3-9v3p-qp82 | x_refsource_MISC | |
https://security.gentoo.org/glsa/202105-14 | vendor-advisory, x_refsource_GENTOO | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/ | vendor-advisory, x_refsource_FEDORA | |
http://www.openwall.com/lists/oss-security/2021/10/04/1 | mailing-list, x_refsource_MLIST | |
https://www.debian.org/security/2022/dsa-5171 | vendor-advisory, x_refsource_DEBIAN |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T21:33:17.441Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-157/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-rgf3-9v3p-qp82" }, { "name": "GLSA-202105-14", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202105-14" }, { "name": "FEDORA-2021-c0bec55ec7", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/" }, { "name": "FEDORA-2021-24af72ff2c", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/" }, { "name": "[oss-security] 20211004 CVE-2021-28116 / ZDI-CAN-11610 / SQUID-2020:12 Out-Of-Bounds memory access in WCCPv2", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2021/10/04/1" }, { "name": "DSA-5171", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2022/dsa-5171" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "Squid through 4.14 and 5.x through 5.0.5, in some configurations, allows information disclosure because of an out-of-bounds read in WCCP protocol data. This can be leveraged as part of a chain for remote code execution as nobody." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AC:H/AV:N/A:N/C:L/I:N/PR:N/S:U/UI:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-06-28T10:06:22", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-157/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-rgf3-9v3p-qp82" }, { "name": "GLSA-202105-14", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202105-14" }, { "name": "FEDORA-2021-c0bec55ec7", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/" }, { "name": "FEDORA-2021-24af72ff2c", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/" }, { "name": "[oss-security] 20211004 CVE-2021-28116 / ZDI-CAN-11610 / SQUID-2020:12 Out-Of-Bounds memory access in WCCPv2", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2021/10/04/1" }, { "name": "DSA-5171", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2022/dsa-5171" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-28116", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Squid through 4.14 and 5.x through 5.0.5, in some configurations, allows information disclosure because of an out-of-bounds read in WCCP protocol data. This can be leveraged as part of a chain for remote code execution as nobody." } ] }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AC:H/AV:N/A:N/C:L/I:N/PR:N/S:U/UI:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Versions/", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/" }, { "name": "https://www.zerodayinitiative.com/advisories/ZDI-21-157/", "refsource": "MISC", "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-157/" }, { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-rgf3-9v3p-qp82", "refsource": "MISC", "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-rgf3-9v3p-qp82" }, { "name": "GLSA-202105-14", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202105-14" }, { "name": "FEDORA-2021-c0bec55ec7", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/" }, { "name": "FEDORA-2021-24af72ff2c", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/" }, { "name": "[oss-security] 20211004 CVE-2021-28116 / ZDI-CAN-11610 / SQUID-2020:12 Out-Of-Bounds memory access in WCCPv2", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/10/04/1" }, { "name": "DSA-5171", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2022/dsa-5171" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-28116", "datePublished": "2021-03-09T21:44:58", "dateReserved": "2021-03-09T00:00:00", "dateUpdated": "2024-08-03T21:33:17.441Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-31806
Vulnerability from cvelistv5
Published
2021-05-27 00:00
Modified
2024-08-03 23:10
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a memory-management bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy) via HTTP Range request processing.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T23:10:30.236Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf" }, { "tags": [ "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patch" }, { "name": "DSA-4924", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-4924" }, { "name": "FEDORA-2021-c0bec55ec7", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/" }, { "name": "FEDORA-2021-24af72ff2c", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/" }, { "name": "[debian-lts-announce] 20210614 [SECURITY] [DLA 2685-1] squid3 security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210716-0007/" }, { "name": "[oss-security] 20231011 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/11/3" }, { "name": "20231016 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list", "x_transferred" ], "url": "http://seclists.org/fulldisclosure/2023/Oct/14" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a memory-management bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy) via HTTP Range request processing." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-17T04:06:21.884321", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf" }, { "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patch" }, { "name": "DSA-4924", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2021/dsa-4924" }, { "name": "FEDORA-2021-c0bec55ec7", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/" }, { "name": "FEDORA-2021-24af72ff2c", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/" }, { "name": "[debian-lts-announce] 20210614 [SECURITY] [DLA 2685-1] squid3 security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html" }, { "url": "https://security.netapp.com/advisory/ntap-20210716-0007/" }, { "name": "[oss-security] 20231011 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/11/3" }, { "name": "20231016 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list" ], "url": "http://seclists.org/fulldisclosure/2023/Oct/14" } ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-31806", "datePublished": "2021-05-27T00:00:00", "dateReserved": "2021-04-26T00:00:00", "dateUpdated": "2024-08-03T23:10:30.236Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2016-3947
Vulnerability from cvelistv5
Published
2016-04-07 18:00
Modified
2024-08-06 00:10
Severity ?
EPSS score ?
Summary
Heap-based buffer overflow in the Icmp6::Recv function in icmp/Icmp6.cc in the pinger utility in Squid before 3.5.16 and 4.x before 4.0.8 allows remote servers to cause a denial of service (performance degradation or transition failures) or write sensitive information to log files via an ICMPv6 packet.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T00:10:31.953Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14015.patch" }, { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11839.patch" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_3.txt" }, { "name": "USN-2995-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10495.patch" }, { "name": "1035457", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1035457" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13232.patch" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12694.patch" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2016-04-02T00:00:00", "descriptions": [ { "lang": "en", "value": "Heap-based buffer overflow in the Icmp6::Recv function in icmp/Icmp6.cc in the pinger utility in Squid before 3.5.16 and 4.x before 4.0.8 allows remote servers to cause a denial of service (performance degradation or transition failures) or write sensitive information to log files via an ICMPv6 packet." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2016-11-25T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14015.patch" }, { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11839.patch" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_3.txt" }, { "name": "USN-2995-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10495.patch" }, { "name": "1035457", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1035457" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13232.patch" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12694.patch" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-3947", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Heap-based buffer overflow in the Icmp6::Recv function in icmp/Icmp6.cc in the pinger utility in Squid before 3.5.16 and 4.x before 4.0.8 allows remote servers to cause a denial of service (performance degradation or transition failures) or write sensitive information to log files via an ICMPv6 packet." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14015.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14015.patch" }, { "name": "GLSA-201607-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201607-01" }, { "name": "SUSE-SU-2016:1996", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11839.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11839.patch" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2016_3.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2016_3.txt" }, { "name": "USN-2995-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "name": "http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10495.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10495.patch" }, { "name": "1035457", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1035457" }, { "name": "openSUSE-SU-2016:2081", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "SUSE-SU-2016:2089", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13232.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13232.patch" }, { "name": "http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12694.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12694.patch" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-3947", "datePublished": "2016-04-07T18:00:00", "dateReserved": "2016-04-01T00:00:00", "dateUpdated": "2024-08-06T00:10:31.953Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2016-4053
Vulnerability from cvelistv5
Published
2016-04-25 14:00
Modified
2024-08-06 00:17
Severity ?
EPSS score ?
Summary
Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote attackers to obtain sensitive stack layout information via crafted Edge Side Includes (ESI) responses, related to incorrect use of assert and compiler optimization.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T00:17:30.656Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_6.txt" }, { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "[oss-security] 20160421 CVE Request: Squid HTTP Caching Proxy multiple issues", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2016/04/20/6" }, { "name": "USN-2995-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "name": "RHSA-2016:1140", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2016:1140" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "RHSA-2016:1138", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2016:1138" }, { "name": "91787", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/91787" }, { "name": "RHSA-2016:1139", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2016:1139" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "[oss-security] 20160420 Re: CVE Request: Squid HTTP Caching Proxy multiple issues", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2016/04/20/9" }, { "name": "1035647", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1035647" }, { "name": "DSA-3625", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2016/dsa-3625" }, { "name": "86788", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/86788" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2016-04-20T00:00:00", "descriptions": [ { "lang": "en", "value": "Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote attackers to obtain sensitive stack layout information via crafted Edge Side Includes (ESI) responses, related to incorrect use of assert and compiler optimization." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2016-11-28T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_6.txt" }, { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "[oss-security] 20160421 CVE Request: Squid HTTP Caching Proxy multiple issues", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2016/04/20/6" }, { "name": "USN-2995-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "name": "RHSA-2016:1140", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2016:1140" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "RHSA-2016:1138", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2016:1138" }, { "name": "91787", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/91787" }, { "name": "RHSA-2016:1139", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2016:1139" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "[oss-security] 20160420 Re: CVE Request: Squid HTTP Caching Proxy multiple issues", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2016/04/20/9" }, { "name": "1035647", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1035647" }, { "name": "DSA-3625", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2016/dsa-3625" }, { "name": "86788", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/86788" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-4053", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote attackers to obtain sensitive stack layout information via crafted Edge Side Includes (ESI) responses, related to incorrect use of assert and compiler optimization." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Advisories/SQUID-2016_6.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2016_6.txt" }, { "name": "GLSA-201607-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201607-01" }, { "name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html" }, { "name": "SUSE-SU-2016:1996", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "[oss-security] 20160421 CVE Request: Squid HTTP Caching Proxy multiple issues", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/04/20/6" }, { "name": "USN-2995-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "name": "RHSA-2016:1140", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:1140" }, { "name": "openSUSE-SU-2016:2081", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "RHSA-2016:1138", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:1138" }, { "name": "91787", "refsource": "BID", "url": "http://www.securityfocus.com/bid/91787" }, { "name": "RHSA-2016:1139", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:1139" }, { "name": "SUSE-SU-2016:2089", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "[oss-security] 20160420 Re: CVE Request: Squid HTTP Caching Proxy multiple issues", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/04/20/9" }, { "name": "1035647", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1035647" }, { "name": "DSA-3625", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3625" }, { "name": "86788", "refsource": "BID", "url": "http://www.securityfocus.com/bid/86788" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-4053", "datePublished": "2016-04-25T14:00:00", "dateReserved": "2016-04-20T00:00:00", "dateUpdated": "2024-08-06T00:17:30.656Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2016-2572
Vulnerability from cvelistv5
Published
2016-02-27 02:00
Modified
2024-08-05 23:32
Severity ?
EPSS score ?
Summary
http.cc in Squid 4.x before 4.0.7 relies on the HTTP status code after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response.
References
▼ | URL | Tags |
---|---|---|
https://security.gentoo.org/glsa/201607-01 | vendor-advisory, x_refsource_GENTOO | |
http://www.squid-cache.org/Advisories/SQUID-2016_2.txt | x_refsource_CONFIRM | |
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html | vendor-advisory, x_refsource_SUSE | |
http://rhn.redhat.com/errata/RHSA-2016-2600.html | vendor-advisory, x_refsource_REDHAT | |
http://www.squid-cache.org/Versions/v4/changesets/squid-4-14548.patch | x_refsource_CONFIRM | |
http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html | vendor-advisory, x_refsource_SUSE | |
http://www.openwall.com/lists/oss-security/2016/02/26/2 | mailing-list, x_refsource_MLIST | |
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html | vendor-advisory, x_refsource_SUSE | |
http://www.securitytracker.com/id/1035101 | vdb-entry, x_refsource_SECTRACK |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T23:32:20.993Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_2.txt" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "RHSA-2016:2600", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2016-2600.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-14548.patch" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "[oss-security] 20160226 Re: CVE request: Squid HTTP Caching Proxy multiple denial of service issues", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2016/02/26/2" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "1035101", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1035101" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2016-02-26T00:00:00", "descriptions": [ { "lang": "en", "value": "http.cc in Squid 4.x before 4.0.7 relies on the HTTP status code after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-01-04T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_2.txt" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "RHSA-2016:2600", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2016-2600.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-14548.patch" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "[oss-security] 20160226 Re: CVE request: Squid HTTP Caching Proxy multiple denial of service issues", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2016/02/26/2" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "1035101", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1035101" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-2572", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "http.cc in Squid 4.x before 4.0.7 relies on the HTTP status code after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "GLSA-201607-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201607-01" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2016_2.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2016_2.txt" }, { "name": "SUSE-SU-2016:1996", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "RHSA-2016:2600", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-2600.html" }, { "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-14548.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-14548.patch" }, { "name": "openSUSE-SU-2016:2081", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "[oss-security] 20160226 Re: CVE request: Squid HTTP Caching Proxy multiple denial of service issues", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/02/26/2" }, { "name": "SUSE-SU-2016:2089", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "1035101", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1035101" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-2572", "datePublished": "2016-02-27T02:00:00", "dateReserved": "2016-02-26T00:00:00", "dateUpdated": "2024-08-05T23:32:20.993Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2018-1000027
Vulnerability from cvelistv5
Published
2018-02-09 23:00
Modified
2024-08-05 12:33
Severity ?
EPSS score ?
Summary
The Squid Software Foundation Squid HTTP Caching Proxy version prior to version 4.0.23 contains a NULL Pointer Dereference vulnerability in HTTP Response X-Forwarded-For header processing that can result in Denial of Service to all clients of the proxy. This attack appear to be exploitable via Remote HTTP server responding with an X-Forwarded-For header to certain types of HTTP request. This vulnerability appears to have been fixed in 4.0.23 and later.
References
▼ | URL | Tags |
---|---|---|
https://usn.ubuntu.com/3557-1/ | vendor-advisory, x_refsource_UBUNTU | |
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2018_2.patch | x_refsource_CONFIRM | |
https://www.debian.org/security/2018/dsa-4122 | vendor-advisory, x_refsource_DEBIAN | |
http://www.squid-cache.org/Advisories/SQUID-2018_2.txt | x_refsource_CONFIRM | |
https://lists.debian.org/debian-lts-announce/2018/02/msg00001.html | mailing-list, x_refsource_MLIST | |
https://github.com/squid-cache/squid/pull/129/files | x_refsource_CONFIRM | |
http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2018_2.patch | x_refsource_CONFIRM | |
https://lists.debian.org/debian-lts-announce/2018/02/msg00002.html | mailing-list, x_refsource_MLIST | |
https://usn.ubuntu.com/4059-2/ | vendor-advisory, x_refsource_UBUNTU |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T12:33:49.031Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "USN-3557-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/3557-1/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2018_2.patch" }, { "name": "DSA-4122", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2018/dsa-4122" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2018_2.txt" }, { "name": "[debian-lts-announce] 20180202 [SECURITY] [DLA 1266-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00001.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/squid-cache/squid/pull/129/files" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2018_2.patch" }, { "name": "[debian-lts-announce] 20180202 [SECURITY] [DLA 1267-1] squid security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00002.html" }, { "name": "USN-4059-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4059-2/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "dateAssigned": "2018-01-18T00:00:00", "datePublic": "2018-01-19T00:00:00", "descriptions": [ { "lang": "en", "value": "The Squid Software Foundation Squid HTTP Caching Proxy version prior to version 4.0.23 contains a NULL Pointer Dereference vulnerability in HTTP Response X-Forwarded-For header processing that can result in Denial of Service to all clients of the proxy. This attack appear to be exploitable via Remote HTTP server responding with an X-Forwarded-For header to certain types of HTTP request. This vulnerability appears to have been fixed in 4.0.23 and later." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-07-17T15:06:10", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "USN-3557-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/3557-1/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2018_2.patch" }, { "name": "DSA-4122", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2018/dsa-4122" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2018_2.txt" }, { "name": "[debian-lts-announce] 20180202 [SECURITY] [DLA 1266-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00001.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/squid-cache/squid/pull/129/files" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2018_2.patch" }, { "name": "[debian-lts-announce] 20180202 [SECURITY] [DLA 1267-1] squid security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00002.html" }, { "name": "USN-4059-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4059-2/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "1/18/2018 15:05:14", "ID": "CVE-2018-1000027", "REQUESTER": "squid3@treenet.co.nz", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The Squid Software Foundation Squid HTTP Caching Proxy version prior to version 4.0.23 contains a NULL Pointer Dereference vulnerability in HTTP Response X-Forwarded-For header processing that can result in Denial of Service to all clients of the proxy. This attack appear to be exploitable via Remote HTTP server responding with an X-Forwarded-For header to certain types of HTTP request. This vulnerability appears to have been fixed in 4.0.23 and later." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "USN-3557-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3557-1/" }, { "name": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2018_2.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2018_2.patch" }, { "name": "DSA-4122", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4122" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2018_2.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2018_2.txt" }, { "name": "[debian-lts-announce] 20180202 [SECURITY] [DLA 1266-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00001.html" }, { "name": "https://github.com/squid-cache/squid/pull/129/files", "refsource": "CONFIRM", "url": "https://github.com/squid-cache/squid/pull/129/files" }, { "name": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2018_2.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2018_2.patch" }, { "name": "[debian-lts-announce] 20180202 [SECURITY] [DLA 1267-1] squid security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00002.html" }, { "name": "USN-4059-2", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4059-2/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-1000027", "datePublished": "2018-02-09T23:00:00", "dateReserved": "2018-01-29T00:00:00", "dateUpdated": "2024-08-05T12:33:49.031Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-37894
Vulnerability from cvelistv5
Published
2024-06-25 19:39
Modified
2024-08-02 03:57
Severity ?
EPSS score ?
Summary
Squid vulnerable to heap corruption in ESI assign
References
Impacted products
▼ | Vendor | Product |
---|---|---|
squid-cache | squid |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-37894", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-26T14:07:04.077026Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-26T14:07:11.424Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T03:57:39.982Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-wgvf-q977-9xjg", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-wgvf-q977-9xjg" }, { "name": "https://github.com/squid-cache/squid/commit/f411fe7d75197852f0e5ee85027a06d58dd8df4c.patch", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/commit/f411fe7d75197852f0e5ee85027a06d58dd8df4c.patch" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20240719-0001/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "squid", "vendor": "squid-cache", "versions": [ { "status": "affected", "version": "\u003e= 3.0, \u003c= 3.5.28" }, { "status": "affected", "version": "\u003e= 4.0, \u003c= 4.16" }, { "status": "affected", "version": "\u003e= 5.0, \u003c= 5.9" }, { "status": "affected", "version": "\u003e= 6.0, \u003c= 6.9" } ] } ], "descriptions": [ { "lang": "en", "value": "Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Out-of-bounds Write error when assigning ESI variables, Squid is susceptible to a Memory Corruption error. This error can lead to a Denial of Service attack." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-06-25T19:39:02.376Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-wgvf-q977-9xjg", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-wgvf-q977-9xjg" }, { "name": "https://github.com/squid-cache/squid/commit/f411fe7d75197852f0e5ee85027a06d58dd8df4c.patch", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/commit/f411fe7d75197852f0e5ee85027a06d58dd8df4c.patch" }, { "url": "https://security.netapp.com/advisory/ntap-20240719-0001/" } ], "source": { "advisory": "GHSA-wgvf-q977-9xjg", "discovery": "UNKNOWN" }, "title": "Squid vulnerable to heap corruption in ESI assign" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-37894", "datePublished": "2024-06-25T19:39:02.376Z", "dateReserved": "2024-06-10T19:54:41.361Z", "dateUpdated": "2024-08-02T03:57:39.982Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2018-1172
Vulnerability from cvelistv5
Published
2018-05-16 21:00
Modified
2024-08-05 03:51
Severity ?
EPSS score ?
Summary
This vulnerability allows remote attackers to deny service on vulnerable installations of The Squid Software Foundation Squid 3.5.27-20180318. Authentication is not required to exploit this vulnerability. The specific flaw exists within ClientRequestContext::sslBumpAccessCheck(). A crafted request can trigger the dereference of a null pointer. An attacker can leverage this vulnerability to create a denial-of-service condition to users of the system. Was ZDI-CAN-6088.
References
▼ | URL | Tags |
---|---|---|
https://zerodayinitiative.com/advisories/ZDI-18-309 | x_refsource_MISC | |
http://www.squid-cache.org/Advisories/SQUID-2018_3.txt | x_refsource_CONFIRM |
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T03:51:48.966Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://zerodayinitiative.com/advisories/ZDI-18-309" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2018_3.txt" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "The Squid Software Foundation Squid", "vendor": "The Squid Software Foundation", "versions": [ { "status": "affected", "version": "3.5.27-20180318" } ] } ], "datePublic": "2018-04-18T00:00:00", "descriptions": [ { "lang": "en", "value": "This vulnerability allows remote attackers to deny service on vulnerable installations of The Squid Software Foundation Squid 3.5.27-20180318. Authentication is not required to exploit this vulnerability. The specific flaw exists within ClientRequestContext::sslBumpAccessCheck(). A crafted request can trigger the dereference of a null pointer. An attacker can leverage this vulnerability to create a denial-of-service condition to users of the system. Was ZDI-CAN-6088." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-476", "description": "CWE-476-NULL Pointer Dereference", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2018-05-16T20:57:01", "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://zerodayinitiative.com/advisories/ZDI-18-309" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2018_3.txt" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "zdi-disclosures@trendmicro.com", "ID": "CVE-2018-1172", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "The Squid Software Foundation Squid", "version": { "version_data": [ { "version_value": "3.5.27-20180318" } ] } } ] }, "vendor_name": "The Squid Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "This vulnerability allows remote attackers to deny service on vulnerable installations of The Squid Software Foundation Squid 3.5.27-20180318. Authentication is not required to exploit this vulnerability. The specific flaw exists within ClientRequestContext::sslBumpAccessCheck(). A crafted request can trigger the dereference of a null pointer. An attacker can leverage this vulnerability to create a denial-of-service condition to users of the system. Was ZDI-CAN-6088." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-476-NULL Pointer Dereference" } ] } ] }, "references": { "reference_data": [ { "name": "https://zerodayinitiative.com/advisories/ZDI-18-309", "refsource": "MISC", "url": "https://zerodayinitiative.com/advisories/ZDI-18-309" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2018_3.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2018_3.txt" } ] } } } }, "cveMetadata": { "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "assignerShortName": "zdi", "cveId": "CVE-2018-1172", "datePublished": "2018-05-16T21:00:00", "dateReserved": "2017-12-05T00:00:00", "dateUpdated": "2024-08-05T03:51:48.966Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2016-4052
Vulnerability from cvelistv5
Published
2016-04-25 14:00
Modified
2024-08-06 00:17
Severity ?
EPSS score ?
Summary
Multiple stack-based buffer overflows in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote HTTP servers to cause a denial of service or execute arbitrary code via crafted Edge Side Includes (ESI) responses.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T00:17:29.854Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_6.txt" }, { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "[oss-security] 20160421 CVE Request: Squid HTTP Caching Proxy multiple issues", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2016/04/20/6" }, { "name": "USN-2995-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "name": "RHSA-2016:1140", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2016:1140" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "RHSA-2016:1138", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2016:1138" }, { "name": "91787", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/91787" }, { "name": "RHSA-2016:1139", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2016:1139" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "[oss-security] 20160420 Re: CVE Request: Squid HTTP Caching Proxy multiple issues", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2016/04/20/9" }, { "name": "1035647", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1035647" }, { "name": "DSA-3625", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2016/dsa-3625" }, { "name": "86788", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/86788" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2016-04-20T00:00:00", "descriptions": [ { "lang": "en", "value": "Multiple stack-based buffer overflows in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote HTTP servers to cause a denial of service or execute arbitrary code via crafted Edge Side Includes (ESI) responses." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2016-11-28T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_6.txt" }, { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "[oss-security] 20160421 CVE Request: Squid HTTP Caching Proxy multiple issues", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2016/04/20/6" }, { "name": "USN-2995-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "name": "RHSA-2016:1140", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2016:1140" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "RHSA-2016:1138", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2016:1138" }, { "name": "91787", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/91787" }, { "name": "RHSA-2016:1139", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2016:1139" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "[oss-security] 20160420 Re: CVE Request: Squid HTTP Caching Proxy multiple issues", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2016/04/20/9" }, { "name": "1035647", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1035647" }, { "name": "DSA-3625", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2016/dsa-3625" }, { "name": "86788", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/86788" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-4052", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Multiple stack-based buffer overflows in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote HTTP servers to cause a denial of service or execute arbitrary code via crafted Edge Side Includes (ESI) responses." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Advisories/SQUID-2016_6.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2016_6.txt" }, { "name": "GLSA-201607-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201607-01" }, { "name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html" }, { "name": "SUSE-SU-2016:1996", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "[oss-security] 20160421 CVE Request: Squid HTTP Caching Proxy multiple issues", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/04/20/6" }, { "name": "USN-2995-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "name": "RHSA-2016:1140", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:1140" }, { "name": "openSUSE-SU-2016:2081", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "RHSA-2016:1138", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:1138" }, { "name": "91787", "refsource": "BID", "url": "http://www.securityfocus.com/bid/91787" }, { "name": "RHSA-2016:1139", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:1139" }, { "name": "SUSE-SU-2016:2089", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "[oss-security] 20160420 Re: CVE Request: Squid HTTP Caching Proxy multiple issues", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/04/20/9" }, { "name": "1035647", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1035647" }, { "name": "DSA-3625", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3625" }, { "name": "86788", "refsource": "BID", "url": "http://www.securityfocus.com/bid/86788" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-4052", "datePublished": "2016-04-25T14:00:00", "dateReserved": "2016-04-20T00:00:00", "dateUpdated": "2024-08-06T00:17:29.854Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-8517
Vulnerability from cvelistv5
Published
2020-02-04 19:54
Modified
2024-08-04 10:03
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid before 4.10. Due to incorrect input validation, the NTLM authentication credentials parser in ext_lm_group_acl may write to memory outside the credentials buffer. On systems with memory access protections, this can result in the helper process being terminated unexpectedly. This leads to the Squid process also terminating and a denial of service for all clients using the proxy.
References
▼ | URL | Tags |
---|---|---|
http://www.squid-cache.org/Advisories/SQUID-2020_3.txt | x_refsource_MISC | |
http://www.squid-cache.org/Versions/v4/changesets/squid-4-6982f1187a26557e582172965e266f544ea562a5.patch | x_refsource_MISC | |
https://usn.ubuntu.com/4289-1/ | vendor-advisory, x_refsource_UBUNTU | |
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00012.html | vendor-advisory, x_refsource_SUSE | |
https://security.gentoo.org/glsa/202003-34 | vendor-advisory, x_refsource_GENTOO | |
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00010.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html | vendor-advisory, x_refsource_SUSE | |
https://security.netapp.com/advisory/ntap-20210304-0002/ | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T10:03:46.372Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2020_3.txt" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-6982f1187a26557e582172965e266f544ea562a5.patch" }, { "name": "USN-4289-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4289-1/" }, { "name": "openSUSE-SU-2020:0307", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00012.html" }, { "name": "GLSA-202003-34", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202003-34" }, { "name": "openSUSE-SU-2020:0606", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00010.html" }, { "name": "openSUSE-SU-2020:0623", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210304-0002/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid before 4.10. Due to incorrect input validation, the NTLM authentication credentials parser in ext_lm_group_acl may write to memory outside the credentials buffer. On systems with memory access protections, this can result in the helper process being terminated unexpectedly. This leads to the Squid process also terminating and a denial of service for all clients using the proxy." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-03-04T12:06:28", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2020_3.txt" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-6982f1187a26557e582172965e266f544ea562a5.patch" }, { "name": "USN-4289-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4289-1/" }, { "name": "openSUSE-SU-2020:0307", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00012.html" }, { "name": "GLSA-202003-34", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202003-34" }, { "name": "openSUSE-SU-2020:0606", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00010.html" }, { "name": "openSUSE-SU-2020:0623", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210304-0002/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-8517", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid before 4.10. Due to incorrect input validation, the NTLM authentication credentials parser in ext_lm_group_acl may write to memory outside the credentials buffer. On systems with memory access protections, this can result in the helper process being terminated unexpectedly. This leads to the Squid process also terminating and a denial of service for all clients using the proxy." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Advisories/SQUID-2020_3.txt", "refsource": "MISC", "url": "http://www.squid-cache.org/Advisories/SQUID-2020_3.txt" }, { "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-6982f1187a26557e582172965e266f544ea562a5.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-6982f1187a26557e582172965e266f544ea562a5.patch" }, { "name": "USN-4289-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4289-1/" }, { "name": "openSUSE-SU-2020:0307", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00012.html" }, { "name": "GLSA-202003-34", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-34" }, { "name": "openSUSE-SU-2020:0606", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00010.html" }, { "name": "openSUSE-SU-2020:0623", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html" }, { "name": "https://security.netapp.com/advisory/ntap-20210304-0002/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210304-0002/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-8517", "datePublished": "2020-02-04T19:54:31", "dateReserved": "2020-02-02T00:00:00", "dateUpdated": "2024-08-04T10:03:46.372Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-12529
Vulnerability from cvelistv5
Published
2019-07-11 18:33
Modified
2024-08-04 23:24
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. When Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode. uudecode determines how many bytes will be decoded by iterating over the input and checking its table. The length is then used to start decoding the string. There are no checks to ensure that the length it calculates isn't greater than the input buffer. This leads to adjacent memory being decoded as well. An attacker would not be able to retrieve the decoded data unless the Squid maintainer had configured the display of usernames on error pages.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:24:38.470Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/squid-cache/squid/commits/v4" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-dd46b5417809647f561d8a5e0e74c3aacd235258.patch" }, { "name": "USN-4065-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4065-1/" }, { "name": "[debian-lts-announce] 20190720 [SECURITY] [DLA 1858-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00018.html" }, { "name": "USN-4065-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4065-2/" }, { "name": "FEDORA-2019-cb50bcc189", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/" }, { "name": "DSA-4507", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2019/dsa-4507" }, { "name": "20190825 [SECURITY] [DSA 4507-1] squid security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "https://seclists.org/bugtraq/2019/Aug/42" }, { "name": "openSUSE-SU-2019:2540", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html" }, { "name": "openSUSE-SU-2019:2541", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2019-06-19T00:00:00", "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. When Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode. uudecode determines how many bytes will be decoded by iterating over the input and checking its table. The length is then used to start decoding the string. There are no checks to ensure that the length it calculates isn\u0027t greater than the input buffer. This leads to adjacent memory being decoded as well. An attacker would not be able to retrieve the decoded data unless the Squid maintainer had configured the display of usernames on error pages." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-07-10T23:06:10", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/squid-cache/squid/commits/v4" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-dd46b5417809647f561d8a5e0e74c3aacd235258.patch" }, { "name": "USN-4065-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4065-1/" }, { "name": "[debian-lts-announce] 20190720 [SECURITY] [DLA 1858-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00018.html" }, { "name": "USN-4065-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4065-2/" }, { "name": "FEDORA-2019-cb50bcc189", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/" }, { "name": "DSA-4507", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2019/dsa-4507" }, { "name": "20190825 [SECURITY] [DSA 4507-1] squid security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "https://seclists.org/bugtraq/2019/Aug/42" }, { "name": "openSUSE-SU-2019:2540", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html" }, { "name": "openSUSE-SU-2019:2541", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-12529", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. When Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode. uudecode determines how many bytes will be decoded by iterating over the input and checking its table. The length is then used to start decoding the string. There are no checks to ensure that the length it calculates isn\u0027t greater than the input buffer. This leads to adjacent memory being decoded as well. An attacker would not be able to retrieve the decoded data unless the Squid maintainer had configured the display of usernames on error pages." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Versions/v4/changesets/", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v4/changesets/" }, { "name": "https://github.com/squid-cache/squid/commits/v4", "refsource": "CONFIRM", "url": "https://github.com/squid-cache/squid/commits/v4" }, { "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-dd46b5417809647f561d8a5e0e74c3aacd235258.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-dd46b5417809647f561d8a5e0e74c3aacd235258.patch" }, { "name": "USN-4065-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4065-1/" }, { "name": "[debian-lts-announce] 20190720 [SECURITY] [DLA 1858-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00018.html" }, { "name": "USN-4065-2", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4065-2/" }, { "name": "FEDORA-2019-cb50bcc189", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/" }, { "name": "DSA-4507", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2019/dsa-4507" }, { "name": "20190825 [SECURITY] [DSA 4507-1] squid security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Aug/42" }, { "name": "openSUSE-SU-2019:2540", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html" }, { "name": "openSUSE-SU-2019:2541", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-12529", "datePublished": "2019-07-11T18:33:55", "dateReserved": "2019-06-02T00:00:00", "dateUpdated": "2024-08-04T23:24:38.470Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2014-0128
Vulnerability from cvelistv5
Published
2014-04-14 15:00
Modified
2024-08-06 09:05
Severity ?
EPSS score ?
Summary
Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows remote attackers to cause a denial of service (assertion failure) via a crafted range request, related to state management.
References
▼ | URL | Tags |
---|---|---|
http://lists.opensuse.org/opensuse-updates/2014-04/msg00030.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-updates/2014-04/msg00060.html | vendor-advisory, x_refsource_SUSE | |
http://secunia.com/advisories/57889 | third-party-advisory, x_refsource_SECUNIA | |
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html | vendor-advisory, x_refsource_SUSE | |
http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html | x_refsource_CONFIRM | |
http://secunia.com/advisories/57288 | third-party-advisory, x_refsource_SECUNIA | |
http://www.securityfocus.com/bid/66112 | vdb-entry, x_refsource_BID | |
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html | vendor-advisory, x_refsource_SUSE | |
http://www.squid-cache.org/Advisories/SQUID-2014_1.txt | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T09:05:38.744Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "openSUSE-SU-2014:0513", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2014-04/msg00030.html" }, { "name": "openSUSE-SU-2014:0559", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2014-04/msg00060.html" }, { "name": "57889", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/57889" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html" }, { "name": "57288", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/57288" }, { "name": "66112", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/66112" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2014_1.txt" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2014-04-11T00:00:00", "descriptions": [ { "lang": "en", "value": "Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows remote attackers to cause a denial of service (assertion failure) via a crafted range request, related to state management." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-12-15T17:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "openSUSE-SU-2014:0513", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2014-04/msg00030.html" }, { "name": "openSUSE-SU-2014:0559", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2014-04/msg00060.html" }, { "name": "57889", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/57889" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html" }, { "name": "57288", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/57288" }, { "name": "66112", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/66112" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2014_1.txt" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "secalert@redhat.com", "ID": "CVE-2014-0128", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows remote attackers to cause a denial of service (assertion failure) via a crafted range request, related to state management." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "openSUSE-SU-2014:0513", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2014-04/msg00030.html" }, { "name": "openSUSE-SU-2014:0559", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2014-04/msg00060.html" }, { "name": "57889", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/57889" }, { "name": "SUSE-SU-2016:1996", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html" }, { "name": "57288", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/57288" }, { "name": "66112", "refsource": "BID", "url": "http://www.securityfocus.com/bid/66112" }, { "name": "SUSE-SU-2016:2089", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2014_1.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2014_1.txt" } ] } } } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-0128", "datePublished": "2014-04-14T15:00:00", "dateReserved": "2013-12-03T00:00:00", "dateUpdated": "2024-08-06T09:05:38.744Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2016-4051
Vulnerability from cvelistv5
Published
2016-04-25 14:00
Modified
2024-08-06 00:17
Severity ?
EPSS score ?
Summary
Buffer overflow in cachemgr.cgi in Squid 2.x, 3.x before 3.5.17, and 4.x before 4.0.9 might allow remote attackers to cause a denial of service or execute arbitrary code by seeding manager reports with crafted data.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T00:17:30.083Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_5.txt" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "1035646", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1035646" }, { "name": "[oss-security] 20160421 CVE Request: Squid HTTP Caching Proxy multiple issues", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2016/04/20/6" }, { "name": "USN-2995-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "name": "RHSA-2016:1140", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2016:1140" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "RHSA-2016:1138", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2016:1138" }, { "name": "91787", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/91787" }, { "name": "RHSA-2016:1139", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2016:1139" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "[oss-security] 20160420 Re: CVE Request: Squid HTTP Caching Proxy multiple issues", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2016/04/20/9" }, { "name": "DSA-3625", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2016/dsa-3625" }, { "name": "86788", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/86788" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2016-04-20T00:00:00", "descriptions": [ { "lang": "en", "value": "Buffer overflow in cachemgr.cgi in Squid 2.x, 3.x before 3.5.17, and 4.x before 4.0.9 might allow remote attackers to cause a denial of service or execute arbitrary code by seeding manager reports with crafted data." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2016-11-28T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_5.txt" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "1035646", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1035646" }, { "name": "[oss-security] 20160421 CVE Request: Squid HTTP Caching Proxy multiple issues", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2016/04/20/6" }, { "name": "USN-2995-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "name": "RHSA-2016:1140", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2016:1140" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "RHSA-2016:1138", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2016:1138" }, { "name": "91787", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/91787" }, { "name": "RHSA-2016:1139", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2016:1139" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "[oss-security] 20160420 Re: CVE Request: Squid HTTP Caching Proxy multiple issues", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2016/04/20/9" }, { "name": "DSA-3625", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2016/dsa-3625" }, { "name": "86788", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/86788" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-4051", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Buffer overflow in cachemgr.cgi in Squid 2.x, 3.x before 3.5.17, and 4.x before 4.0.9 might allow remote attackers to cause a denial of service or execute arbitrary code by seeding manager reports with crafted data." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "GLSA-201607-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201607-01" }, { "name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2016_5.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2016_5.txt" }, { "name": "SUSE-SU-2016:1996", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "1035646", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1035646" }, { "name": "[oss-security] 20160421 CVE Request: Squid HTTP Caching Proxy multiple issues", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/04/20/6" }, { "name": "USN-2995-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "name": "RHSA-2016:1140", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:1140" }, { "name": "openSUSE-SU-2016:2081", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "RHSA-2016:1138", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:1138" }, { "name": "91787", "refsource": "BID", "url": "http://www.securityfocus.com/bid/91787" }, { "name": "RHSA-2016:1139", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:1139" }, { "name": "SUSE-SU-2016:2089", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "[oss-security] 20160420 Re: CVE Request: Squid HTTP Caching Proxy multiple issues", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/04/20/9" }, { "name": "DSA-3625", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3625" }, { "name": "86788", "refsource": "BID", "url": "http://www.securityfocus.com/bid/86788" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-4051", "datePublished": "2016-04-25T14:00:00", "dateReserved": "2016-04-20T00:00:00", "dateUpdated": "2024-08-06T00:17:30.083Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2013-4115
Vulnerability from cvelistv5
Published
2013-08-09 22:00
Modified
2024-08-06 16:30
Severity ?
EPSS score ?
Summary
Buffer overflow in the idnsALookup function in dns_internal.cc in Squid 3.2 through 3.2.11 and 3.3 through 3.3.6 allows remote attackers to cause a denial of service (memory corruption and server termination) via a long name in a DNS lookup request.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T16:30:50.017Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10487.patch" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2013_2.txt" }, { "name": "54076", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/54076" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "openSUSE-SU-2013:1441", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00030.html" }, { "name": "openSUSE-SU-2013:1444", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00033.html" }, { "name": "54834", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/54834" }, { "name": "openSUSE-SU-2013:1443", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00032.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12587.patch" }, { "name": "61111", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/61111" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11823.patch" }, { "name": "54839", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/54839" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9200.patch" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "openSUSE-SU-2013:1435", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00024.html" }, { "name": "squid-idnsalookup-bo(85564)", "tags": [ "vdb-entry", "x_refsource_XF", "x_transferred" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/85564" }, { "name": "openSUSE-SU-2013:1436", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00025.html" }, { "name": "[oss-security] 20130711 Re: CVE request: SQUID-2013:2: buffer overflow in HTTP request handling", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2013/07/11/8" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2013-07-10T00:00:00", "descriptions": [ { "lang": "en", "value": "Buffer overflow in the idnsALookup function in dns_internal.cc in Squid 3.2 through 3.2.11 and 3.3 through 3.3.6 allows remote attackers to cause a denial of service (memory corruption and server termination) via a long name in a DNS lookup request." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2017-08-28T12:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10487.patch" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2013_2.txt" }, { "name": "54076", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/54076" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "openSUSE-SU-2013:1441", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00030.html" }, { "name": "openSUSE-SU-2013:1444", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00033.html" }, { "name": "54834", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/54834" }, { "name": "openSUSE-SU-2013:1443", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00032.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12587.patch" }, { "name": "61111", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/61111" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11823.patch" }, { "name": "54839", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/54839" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9200.patch" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "openSUSE-SU-2013:1435", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00024.html" }, { "name": "squid-idnsalookup-bo(85564)", "tags": [ "vdb-entry", "x_refsource_XF" ], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/85564" }, { "name": "openSUSE-SU-2013:1436", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00025.html" }, { "name": "[oss-security] 20130711 Re: CVE request: SQUID-2013:2: buffer overflow in HTTP request handling", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2013/07/11/8" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "secalert@redhat.com", "ID": "CVE-2013-4115", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Buffer overflow in the idnsALookup function in dns_internal.cc in Squid 3.2 through 3.2.11 and 3.3 through 3.3.6 allows remote attackers to cause a denial of service (memory corruption and server termination) via a long name in a DNS lookup request." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10487.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10487.patch" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2013_2.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2013_2.txt" }, { "name": "54076", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/54076" }, { "name": "SUSE-SU-2016:1996", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "openSUSE-SU-2013:1441", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00030.html" }, { "name": "openSUSE-SU-2013:1444", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00033.html" }, { "name": "54834", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/54834" }, { "name": "openSUSE-SU-2013:1443", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00032.html" }, { "name": "http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12587.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12587.patch" }, { "name": "61111", "refsource": "BID", "url": "http://www.securityfocus.com/bid/61111" }, { "name": "http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11823.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11823.patch" }, { "name": "54839", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/54839" }, { "name": "http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9200.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9200.patch" }, { "name": "SUSE-SU-2016:2089", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "openSUSE-SU-2013:1435", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00024.html" }, { "name": "squid-idnsalookup-bo(85564)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/85564" }, { "name": "openSUSE-SU-2013:1436", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00025.html" }, { "name": "[oss-security] 20130711 Re: CVE request: SQUID-2013:2: buffer overflow in HTTP request handling", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2013/07/11/8" } ] } } } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-4115", "datePublished": "2013-08-09T22:00:00", "dateReserved": "2013-06-12T00:00:00", "dateUpdated": "2024-08-06T16:30:50.017Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-12526
Vulnerability from cvelistv5
Published
2019-11-26 16:41
Modified
2024-08-04 23:24
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid before 4.9. URN response handling in Squid suffers from a heap-based buffer overflow. When receiving data from a remote server in response to an URN request, Squid fails to ensure that the response can fit within the buffer. This leads to attacker controlled data overflowing in the heap.
References
▼ | URL | Tags |
---|---|---|
https://bugzilla.suse.com/show_bug.cgi?id=1156326 | x_refsource_CONFIRM | |
http://www.squid-cache.org/Advisories/SQUID-2019_7.txt | x_refsource_CONFIRM | |
https://usn.ubuntu.com/4213-1/ | vendor-advisory, x_refsource_UBUNTU | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html | mailing-list, x_refsource_MLIST | |
https://security.gentoo.org/glsa/202003-34 | vendor-advisory, x_refsource_GENTOO | |
https://www.debian.org/security/2020/dsa-4682 | vendor-advisory, x_refsource_DEBIAN | |
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html | mailing-list, x_refsource_MLIST |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:24:38.860Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156326" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2019_7.txt" }, { "name": "USN-4213-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4213-1/" }, { "name": "FEDORA-2019-0b16cbdd0e", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/" }, { "name": "FEDORA-2019-9538783033", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/" }, { "name": "[debian-lts-announce] 20191210 [SECURITY] [DLA 2028-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html" }, { "name": "GLSA-202003-34", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202003-34" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid before 4.9. URN response handling in Squid suffers from a heap-based buffer overflow. When receiving data from a remote server in response to an URN request, Squid fails to ensure that the response can fit within the buffer. This leads to attacker controlled data overflowing in the heap." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-07-10T23:06:20", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156326" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2019_7.txt" }, { "name": "USN-4213-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4213-1/" }, { "name": "FEDORA-2019-0b16cbdd0e", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/" }, { "name": "FEDORA-2019-9538783033", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/" }, { "name": "[debian-lts-announce] 20191210 [SECURITY] [DLA 2028-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html" }, { "name": "GLSA-202003-34", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202003-34" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-12526", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid before 4.9. URN response handling in Squid suffers from a heap-based buffer overflow. When receiving data from a remote server in response to an URN request, Squid fails to ensure that the response can fit within the buffer. This leads to attacker controlled data overflowing in the heap." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://bugzilla.suse.com/show_bug.cgi?id=1156326", "refsource": "CONFIRM", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156326" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2019_7.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2019_7.txt" }, { "name": "USN-4213-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4213-1/" }, { "name": "FEDORA-2019-0b16cbdd0e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/" }, { "name": "FEDORA-2019-9538783033", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/" }, { "name": "[debian-lts-announce] 20191210 [SECURITY] [DLA 2028-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html" }, { "name": "GLSA-202003-34", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-34" }, { "name": "DSA-4682", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-12526", "datePublished": "2019-11-26T16:41:57", "dateReserved": "2019-06-02T00:00:00", "dateUpdated": "2024-08-04T23:24:38.860Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2011-4096
Vulnerability from cvelistv5
Published
2011-11-17 19:00
Modified
2024-08-06 23:53
Severity ?
EPSS score ?
Summary
The idnsGrokReply function in Squid before 3.1.16 does not properly free memory, which allows remote attackers to cause a denial of service (daemon abort) via a DNS reply containing a CNAME record that references another CNAME record that contains an empty A record.
References
▼ | URL | Tags |
---|---|---|
http://bugs.squid-cache.org/show_bug.cgi?id=3237#c12 | x_refsource_MISC | |
http://www.redhat.com/support/errata/RHSA-2011-1791.html | vendor-advisory, x_refsource_REDHAT | |
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html | vendor-advisory, x_refsource_SUSE | |
http://www.openwall.com/lists/oss-security/2011/10/31/5 | mailing-list, x_refsource_MLIST | |
http://www.securitytracker.com/id?1026265 | vdb-entry, x_refsource_SECTRACK | |
http://www.openwall.com/lists/oss-security/2011/11/01/3 | mailing-list, x_refsource_MLIST | |
http://www.mandriva.com/security/advisories?name=MDVSA-2011:193 | vendor-advisory, x_refsource_MANDRIVA | |
http://secunia.com/advisories/46609 | third-party-advisory, x_refsource_SECUNIA | |
http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_16.html | x_refsource_CONFIRM | |
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html | vendor-advisory, x_refsource_SUSE | |
http://secunia.com/advisories/47459 | third-party-advisory, x_refsource_SECUNIA |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T23:53:32.679Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://bugs.squid-cache.org/show_bug.cgi?id=3237#c12" }, { "name": "RHSA-2011:1791", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://www.redhat.com/support/errata/RHSA-2011-1791.html" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "[oss-security] 20111031 CVE Request -- Squid v3.1.16 -- Invalid free by processing CNAME DNS record pointing to another CNAME record pointing to an empty A-record", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2011/10/31/5" }, { "name": "1026265", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id?1026265" }, { "name": "[oss-security] 20111031 Re: CVE Request -- Squid v3.1.16 -- Invalid free by processing CNAME DNS record pointing to another CNAME record pointing to an empty A-record", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2011/11/01/3" }, { "name": "MDVSA-2011:193", "tags": [ "vendor-advisory", "x_refsource_MANDRIVA", "x_transferred" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:193" }, { "name": "46609", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/46609" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_16.html" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "47459", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/47459" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2011-10-31T00:00:00", "descriptions": [ { "lang": "en", "value": "The idnsGrokReply function in Squid before 3.1.16 does not properly free memory, which allows remote attackers to cause a denial of service (daemon abort) via a DNS reply containing a CNAME record that references another CNAME record that contains an empty A record." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2016-11-25T20:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "http://bugs.squid-cache.org/show_bug.cgi?id=3237#c12" }, { "name": "RHSA-2011:1791", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://www.redhat.com/support/errata/RHSA-2011-1791.html" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "[oss-security] 20111031 CVE Request -- Squid v3.1.16 -- Invalid free by processing CNAME DNS record pointing to another CNAME record pointing to an empty A-record", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2011/10/31/5" }, { "name": "1026265", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id?1026265" }, { "name": "[oss-security] 20111031 Re: CVE Request -- Squid v3.1.16 -- Invalid free by processing CNAME DNS record pointing to another CNAME record pointing to an empty A-record", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2011/11/01/3" }, { "name": "MDVSA-2011:193", "tags": [ "vendor-advisory", "x_refsource_MANDRIVA" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:193" }, { "name": "46609", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/46609" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/SQUID_3_1_16.html" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "47459", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/47459" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2011-4096", "datePublished": "2011-11-17T19:00:00", "dateReserved": "2011-10-18T00:00:00", "dateUpdated": "2024-08-06T23:53:32.679Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-13345
Vulnerability from cvelistv5
Published
2019-07-05 15:45
Modified
2024-08-04 23:49
Severity ?
EPSS score ?
Summary
The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:49:24.644Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/pull/429" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://bugs.squid-cache.org/show_bug.cgi?id=4957" }, { "name": "[debian-lts-announce] 20190707 [SECURITY] [DLA 1847-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00006.html" }, { "name": "USN-4059-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4059-1/" }, { "name": "USN-4059-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4059-2/" }, { "name": "109095", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/109095" }, { "name": "FEDORA-2019-c1e06901bc", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X2ERPHSPUGOYVVRPQRASQBFGS2EJISFC/" }, { "name": "FEDORA-2019-cb50bcc189", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/" }, { "name": "openSUSE-SU-2019:1963", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00067.html" }, { "name": "DSA-4507", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2019/dsa-4507" }, { "name": "20190825 [SECURITY] [DSA 4507-1] squid security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "https://seclists.org/bugtraq/2019/Aug/42" }, { "name": "RHSA-2019:3476", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2019:3476" }, { "name": "openSUSE-SU-2019:2540", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html" }, { "name": "openSUSE-SU-2019:2541", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-07-10T23:06:14", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/pull/429" }, { "tags": [ "x_refsource_MISC" ], "url": "https://bugs.squid-cache.org/show_bug.cgi?id=4957" }, { "name": "[debian-lts-announce] 20190707 [SECURITY] [DLA 1847-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00006.html" }, { "name": "USN-4059-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4059-1/" }, { "name": "USN-4059-2", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4059-2/" }, { "name": "109095", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/109095" }, { "name": "FEDORA-2019-c1e06901bc", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X2ERPHSPUGOYVVRPQRASQBFGS2EJISFC/" }, { "name": "FEDORA-2019-cb50bcc189", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/" }, { "name": "openSUSE-SU-2019:1963", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00067.html" }, { "name": "DSA-4507", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2019/dsa-4507" }, { "name": "20190825 [SECURITY] [DSA 4507-1] squid security update", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "https://seclists.org/bugtraq/2019/Aug/42" }, { "name": "RHSA-2019:3476", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2019:3476" }, { "name": "openSUSE-SU-2019:2540", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html" }, { "name": "openSUSE-SU-2019:2541", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-13345", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/squid-cache/squid/pull/429", "refsource": "MISC", "url": "https://github.com/squid-cache/squid/pull/429" }, { "name": "https://bugs.squid-cache.org/show_bug.cgi?id=4957", "refsource": "MISC", "url": "https://bugs.squid-cache.org/show_bug.cgi?id=4957" }, { "name": "[debian-lts-announce] 20190707 [SECURITY] [DLA 1847-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00006.html" }, { "name": "USN-4059-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4059-1/" }, { "name": "USN-4059-2", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4059-2/" }, { "name": "109095", "refsource": "BID", "url": "http://www.securityfocus.com/bid/109095" }, { "name": "FEDORA-2019-c1e06901bc", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X2ERPHSPUGOYVVRPQRASQBFGS2EJISFC/" }, { "name": "FEDORA-2019-cb50bcc189", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/" }, { "name": "openSUSE-SU-2019:1963", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00067.html" }, { "name": "DSA-4507", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2019/dsa-4507" }, { "name": "20190825 [SECURITY] [DSA 4507-1] squid security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Aug/42" }, { "name": "RHSA-2019:3476", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:3476" }, { "name": "openSUSE-SU-2019:2540", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html" }, { "name": "openSUSE-SU-2019:2541", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-13345", "datePublished": "2019-07-05T15:45:45", "dateReserved": "2019-07-05T00:00:00", "dateUpdated": "2024-08-04T23:49:24.644Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2012-5643
Vulnerability from cvelistv5
Published
2012-12-20 11:00
Modified
2024-08-06 21:14
Severity ?
EPSS score ?
Summary
Multiple memory leaks in tools/cachemgr.cc in cachemgr.cgi in Squid 2.x and 3.x before 3.1.22, 3.2.x before 3.2.4, and 3.3.x before 3.3.0.2 allow remote attackers to cause a denial of service (memory consumption) via (1) invalid Content-Length headers, (2) long POST requests, or (3) crafted authentication credentials.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T21:14:15.955Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "DSA-2631", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2013/dsa-2631" }, { "name": "RHSA-2013:0505", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-0505.html" }, { "name": "MDVSA-2013:129", "tags": [ "vendor-advisory", "x_refsource_MANDRIVA", "x_transferred" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:129" }, { "name": "1027890", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id?1027890" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10479.patch" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "openSUSE-SU-2013:1443", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00032.html" }, { "name": "[oss-security] 20121217 Re: CVE Request -- SQUID-2012:1 / Squid: DoS (excessive resource consumption) via invalid Content-Length headers or via memory leaks", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://openwall.com/lists/oss-security/2012/12/17/4" }, { "name": "52024", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/52024" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11714.patch" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2012_1.txt" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=887962" }, { "name": "54839", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/54839" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "openSUSE-SU-2013:0162", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00052.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugs.gentoo.org/show_bug.cgi?id=447596" }, { "name": "openSUSE-SU-2013:0186", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00075.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0368" }, { "name": "openSUSE-SU-2013:1436", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00025.html" }, { "name": "USN-1713-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://ubuntu.com/usn/usn-1713-1" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2012-12-17T00:00:00", "descriptions": [ { "lang": "en", "value": "Multiple memory leaks in tools/cachemgr.cc in cachemgr.cgi in Squid 2.x and 3.x before 3.1.22, 3.2.x before 3.2.4, and 3.3.x before 3.3.0.2 allow remote attackers to cause a denial of service (memory consumption) via (1) invalid Content-Length headers, (2) long POST requests, or (3) crafted authentication credentials." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2016-11-25T20:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "DSA-2631", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2013/dsa-2631" }, { "name": "RHSA-2013:0505", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-0505.html" }, { "name": "MDVSA-2013:129", "tags": [ "vendor-advisory", "x_refsource_MANDRIVA" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:129" }, { "name": "1027890", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id?1027890" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10479.patch" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "openSUSE-SU-2013:1443", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00032.html" }, { "name": "[oss-security] 20121217 Re: CVE Request -- SQUID-2012:1 / Squid: DoS (excessive resource consumption) via invalid Content-Length headers or via memory leaks", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://openwall.com/lists/oss-security/2012/12/17/4" }, { "name": "52024", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/52024" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11714.patch" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2012_1.txt" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=887962" }, { "name": "54839", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/54839" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "openSUSE-SU-2013:0162", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00052.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugs.gentoo.org/show_bug.cgi?id=447596" }, { "name": "openSUSE-SU-2013:0186", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-01/msg00075.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0368" }, { "name": "openSUSE-SU-2013:1436", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-09/msg00025.html" }, { "name": "USN-1713-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://ubuntu.com/usn/usn-1713-1" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-5643", "datePublished": "2012-12-20T11:00:00", "dateReserved": "2012-10-24T00:00:00", "dateUpdated": "2024-08-06T21:14:15.955Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2013-1839
Vulnerability from cvelistv5
Published
2013-09-30 20:00
Modified
2024-08-06 15:13
Severity ?
EPSS score ?
Summary
The strHdrAcptLangGetItem function in errorpage.cc in Squid 3.2.x before 3.2.9 and 3.3.x before 3.3.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a "," character in an Accept-Language header.
References
▼ | URL | Tags |
---|---|---|
http://www.securityfocus.com/bid/58316 | vdb-entry, x_refsource_BID | |
http://secunia.com/advisories/52588 | third-party-advisory, x_refsource_SECUNIA | |
http://www.squid-cache.org/Advisories/SQUID-2013_1.txt | x_refsource_CONFIRM | |
http://archives.neohapsis.com/archives/bugtraq/2013-03/0025.html | mailing-list, x_refsource_BUGTRAQ | |
http://archives.neohapsis.com/archives/bugtraq/2013-03/0069.html | mailing-list, x_refsource_BUGTRAQ | |
http://www.openwall.com/lists/oss-security/2013/03/11/7 | mailing-list, x_refsource_MLIST |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T15:13:33.008Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "58316", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/58316" }, { "name": "52588", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/52588" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2013_1.txt" }, { "name": "20130305 Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "http://archives.neohapsis.com/archives/bugtraq/2013-03/0025.html" }, { "name": "20130307 Re: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc", "tags": [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred" ], "url": "http://archives.neohapsis.com/archives/bugtraq/2013-03/0069.html" }, { "name": "[oss-security] 20130311 Re: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2013/03/11/7" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "The strHdrAcptLangGetItem function in errorpage.cc in Squid 3.2.x before 3.2.9 and 3.3.x before 3.3.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a \",\" character in an Accept-Language header." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2013-09-30T20:00:00Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "58316", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/58316" }, { "name": "52588", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/52588" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2013_1.txt" }, { "name": "20130305 Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "http://archives.neohapsis.com/archives/bugtraq/2013-03/0025.html" }, { "name": "20130307 Re: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc", "tags": [ "mailing-list", "x_refsource_BUGTRAQ" ], "url": "http://archives.neohapsis.com/archives/bugtraq/2013-03/0069.html" }, { "name": "[oss-security] 20130311 Re: Squid 3.2.7 DoS (loop, 100% cpu) strHdrAcptLangGetItem() at errorpage.cc", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2013/03/11/7" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-1839", "datePublished": "2013-09-30T20:00:00Z", "dateReserved": "2013-02-19T00:00:00Z", "dateUpdated": "2024-08-06T15:13:33.008Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-14059
Vulnerability from cvelistv5
Published
2020-06-30 18:23
Modified
2024-08-04 12:32
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid 5.x before 5.0.3. Due to an Incorrect Synchronization, a Denial of Service can occur when processing objects in an SMP cache because of an Ipc::Mem::PageStack::pop ABA problem during access to the memory page/slot management list.
References
▼ | URL | Tags |
---|---|---|
http://www.squid-cache.org/Versions/v5/changesets/squid-5-7a5af8db8e0377c06ed9ffbdcb1334389c7cd8ab.patch | x_refsource_MISC | |
http://www.squid-cache.org/Advisories/SQUID-2020_5.txt | x_refsource_CONFIRM | |
https://security.netapp.com/advisory/ntap-20210312-0001/ | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T12:32:14.706Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-7a5af8db8e0377c06ed9ffbdcb1334389c7cd8ab.patch" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2020_5.txt" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210312-0001/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2020-06-19T00:00:00", "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid 5.x before 5.0.3. Due to an Incorrect Synchronization, a Denial of Service can occur when processing objects in an SMP cache because of an Ipc::Mem::PageStack::pop ABA problem during access to the memory page/slot management list." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-03-12T12:06:30", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-7a5af8db8e0377c06ed9ffbdcb1334389c7cd8ab.patch" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2020_5.txt" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210312-0001/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-14059", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid 5.x before 5.0.3. Due to an Incorrect Synchronization, a Denial of Service can occur when processing objects in an SMP cache because of an Ipc::Mem::PageStack::pop ABA problem during access to the memory page/slot management list." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-7a5af8db8e0377c06ed9ffbdcb1334389c7cd8ab.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-7a5af8db8e0377c06ed9ffbdcb1334389c7cd8ab.patch" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2020_5.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2020_5.txt" }, { "name": "https://security.netapp.com/advisory/ntap-20210312-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210312-0001/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-14059", "datePublished": "2020-06-30T18:23:39", "dateReserved": "2020-06-13T00:00:00", "dateUpdated": "2024-08-04T12:32:14.706Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2014-7142
Vulnerability from cvelistv5
Published
2014-11-26 15:00
Modified
2024-08-06 12:40
Severity ?
EPSS score ?
Summary
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.
References
▼ | URL | Tags |
---|---|---|
http://www.squid-cache.org/Advisories/SQUID-2014_4.txt | x_refsource_CONFIRM | |
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html | vendor-advisory, x_refsource_SUSE | |
http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html | x_refsource_CONFIRM | |
http://secunia.com/advisories/60242 | third-party-advisory, x_refsource_SECUNIA | |
https://bugzilla.novell.com/show_bug.cgi?id=891268 | x_refsource_CONFIRM | |
http://seclists.org/oss-sec/2014/q3/613 | mailing-list, x_refsource_MLIST | |
http://seclists.org/oss-sec/2014/q3/539 | mailing-list, x_refsource_MLIST | |
http://www.securityfocus.com/bid/70022 | vdb-entry, x_refsource_BID | |
http://ubuntu.com/usn/usn-2422-1 | vendor-advisory, x_refsource_UBUNTU | |
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html | vendor-advisory, x_refsource_SUSE | |
http://seclists.org/oss-sec/2014/q3/626 | mailing-list, x_refsource_MLIST |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T12:40:19.097Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2014_4.txt" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html" }, { "name": "60242", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/60242" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.novell.com/show_bug.cgi?id=891268" }, { "name": "[oss-security] 20140916 Re: Re: CVE-Request: squid pinger remote DoS", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://seclists.org/oss-sec/2014/q3/613" }, { "name": "[oss-security] 20140909 CVE-Request: squid pinger remote DoS", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://seclists.org/oss-sec/2014/q3/539" }, { "name": "70022", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/70022" }, { "name": "USN-2422-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://ubuntu.com/usn/usn-2422-1" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "[oss-security] 20140922 Re: CVE-Request: squid pinger remote DoS", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://seclists.org/oss-sec/2014/q3/626" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2014-09-09T00:00:00", "descriptions": [ { "lang": "en", "value": "The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2016-11-25T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2014_4.txt" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html" }, { "name": "60242", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/60242" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.novell.com/show_bug.cgi?id=891268" }, { "name": "[oss-security] 20140916 Re: Re: CVE-Request: squid pinger remote DoS", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://seclists.org/oss-sec/2014/q3/613" }, { "name": "[oss-security] 20140909 CVE-Request: squid pinger remote DoS", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://seclists.org/oss-sec/2014/q3/539" }, { "name": "70022", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/70022" }, { "name": "USN-2422-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://ubuntu.com/usn/usn-2422-1" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "[oss-security] 20140922 Re: CVE-Request: squid pinger remote DoS", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://seclists.org/oss-sec/2014/q3/626" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-7142", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Advisories/SQUID-2014_4.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2014_4.txt" }, { "name": "SUSE-SU-2016:1996", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html" }, { "name": "60242", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/60242" }, { "name": "https://bugzilla.novell.com/show_bug.cgi?id=891268", "refsource": "CONFIRM", "url": "https://bugzilla.novell.com/show_bug.cgi?id=891268" }, { "name": "[oss-security] 20140916 Re: Re: CVE-Request: squid pinger remote DoS", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q3/613" }, { "name": "[oss-security] 20140909 CVE-Request: squid pinger remote DoS", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q3/539" }, { "name": "70022", "refsource": "BID", "url": "http://www.securityfocus.com/bid/70022" }, { "name": "USN-2422-1", "refsource": "UBUNTU", "url": "http://ubuntu.com/usn/usn-2422-1" }, { "name": "SUSE-SU-2016:2089", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "[oss-security] 20140922 Re: CVE-Request: squid pinger remote DoS", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2014/q3/626" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-7142", "datePublished": "2014-11-26T15:00:00", "dateReserved": "2014-09-22T00:00:00", "dateUpdated": "2024-08-06T12:40:19.097Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-15811
Vulnerability from cvelistv5
Published
2020-09-02 16:35
Modified
2024-08-04 13:30
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Splitting attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the browser cache and any downstream caches with content from an arbitrary source. Squid uses a string search instead of parsing the Transfer-Encoding header to find chunked encoding. This allows an attacker to hide a second request inside Transfer-Encoding: it is interpreted by Squid as chunked and split out into a second request delivered upstream. Squid will then deliver two distinct responses to the client, corrupting any downstream caches.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T13:30:22.344Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv" }, { "name": "DSA-4751", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4751" }, { "name": "USN-4477-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4477-1/" }, { "name": "FEDORA-2020-73af8655eb", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJJDI7JQFGQLVNCKMVY64LAFMKERAOK7/" }, { "name": "FEDORA-2020-63f3bd656e", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMTFLVB7GLRF2CKGFPZ4G4R5DIIPHWI3/" }, { "name": "openSUSE-SU-2020:1346", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html" }, { "name": "openSUSE-SU-2020:1369", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html" }, { "name": "FEDORA-2020-6c58bff862", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2/" }, { "name": "USN-4551-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4551-1/" }, { "name": "[debian-lts-announce] 20201002 [SECURITY] [DLA 2394-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210219-0007/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210226-0007/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210226-0006/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Splitting attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the browser cache and any downstream caches with content from an arbitrary source. Squid uses a string search instead of parsing the Transfer-Encoding header to find chunked encoding. This allows an attacker to hide a second request inside Transfer-Encoding: it is interpreted by Squid as chunked and split out into a second request delivered upstream. Squid will then deliver two distinct responses to the client, corrupting any downstream caches." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-02-26T08:06:40", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv" }, { "name": "DSA-4751", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4751" }, { "name": "USN-4477-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4477-1/" }, { "name": "FEDORA-2020-73af8655eb", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJJDI7JQFGQLVNCKMVY64LAFMKERAOK7/" }, { "name": "FEDORA-2020-63f3bd656e", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMTFLVB7GLRF2CKGFPZ4G4R5DIIPHWI3/" }, { "name": "openSUSE-SU-2020:1346", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html" }, { "name": "openSUSE-SU-2020:1369", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html" }, { "name": "FEDORA-2020-6c58bff862", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2/" }, { "name": "USN-4551-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4551-1/" }, { "name": "[debian-lts-announce] 20201002 [SECURITY] [DLA 2394-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210219-0007/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210226-0007/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210226-0006/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-15811", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Splitting attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the browser cache and any downstream caches with content from an arbitrary source. Squid uses a string search instead of parsing the Transfer-Encoding header to find chunked encoding. This allows an attacker to hide a second request inside Transfer-Encoding: it is interpreted by Squid as chunked and split out into a second request delivered upstream. Squid will then deliver two distinct responses to the client, corrupting any downstream caches." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv", "refsource": "MISC", "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv" }, { "name": "DSA-4751", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4751" }, { "name": "USN-4477-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4477-1/" }, { "name": "FEDORA-2020-73af8655eb", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJJDI7JQFGQLVNCKMVY64LAFMKERAOK7/" }, { "name": "FEDORA-2020-63f3bd656e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMTFLVB7GLRF2CKGFPZ4G4R5DIIPHWI3/" }, { "name": "openSUSE-SU-2020:1346", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html" }, { "name": "openSUSE-SU-2020:1369", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html" }, { "name": "FEDORA-2020-6c58bff862", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2/" }, { "name": "USN-4551-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4551-1/" }, { "name": "[debian-lts-announce] 20201002 [SECURITY] [DLA 2394-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html" }, { "name": "https://security.netapp.com/advisory/ntap-20210219-0007/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210219-0007/" }, { "name": "https://security.netapp.com/advisory/ntap-20210226-0007/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210226-0007/" }, { "name": "https://security.netapp.com/advisory/ntap-20210226-0006/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210226-0006/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-15811", "datePublished": "2020-09-02T16:35:04", "dateReserved": "2020-07-17T00:00:00", "dateUpdated": "2024-08-04T13:30:22.344Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-33620
Vulnerability from cvelistv5
Published
2021-05-28 00:00
Modified
2024-08-03 23:58
Severity ?
EPSS score ?
Summary
Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting availability to all clients) via an HTTP response. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent by the server.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T23:58:21.468Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-572g-rvwr-6c7f" }, { "tags": [ "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-8af775ed98bfd610f9ce762fe177e01b2675588c.patch" }, { "tags": [ "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-1e05a85bd28c22c9ca5d3ac9f5e86d6269ec0a8c.patch" }, { "name": "FEDORA-2021-c0bec55ec7", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/" }, { "name": "FEDORA-2021-24af72ff2c", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/" }, { "name": "[debian-lts-announce] 20210614 [SECURITY] [DLA 2685-1] squid3 security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html" }, { "name": "[oss-security] 20231011 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/11/3" }, { "name": "20231016 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list", "x_transferred" ], "url": "http://seclists.org/fulldisclosure/2023/Oct/14" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting availability to all clients) via an HTTP response. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent by the server." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:N/I:N/PR:L/S:U/UI:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-17T04:06:14.805254", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-572g-rvwr-6c7f" }, { "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-8af775ed98bfd610f9ce762fe177e01b2675588c.patch" }, { "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-1e05a85bd28c22c9ca5d3ac9f5e86d6269ec0a8c.patch" }, { "name": "FEDORA-2021-c0bec55ec7", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/" }, { "name": "FEDORA-2021-24af72ff2c", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/" }, { "name": "[debian-lts-announce] 20210614 [SECURITY] [DLA 2685-1] squid3 security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html" }, { "name": "[oss-security] 20231011 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/11/3" }, { "name": "20231016 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list" ], "url": "http://seclists.org/fulldisclosure/2023/Oct/14" } ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-33620", "datePublished": "2021-05-28T00:00:00", "dateReserved": "2021-05-28T00:00:00", "dateUpdated": "2024-08-03T23:58:21.468Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-18677
Vulnerability from cvelistv5
Published
2019-11-26 16:21
Modified
2024-08-05 01:54
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins it should not be delivered to.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T01:54:14.540Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/pull/427" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156328" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2019_9.txt" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.patch" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848dde570f7920873e1071f96e0b4.patch" }, { "name": "USN-4213-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4213-1/" }, { "name": "FEDORA-2019-0b16cbdd0e", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/" }, { "name": "FEDORA-2019-9538783033", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/" }, { "name": "[debian-lts-announce] 20191210 [SECURITY] [DLA 2028-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins it should not be delivered to." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-07-10T23:06:16", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/pull/427" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156328" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2019_9.txt" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.patch" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848dde570f7920873e1071f96e0b4.patch" }, { "name": "USN-4213-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4213-1/" }, { "name": "FEDORA-2019-0b16cbdd0e", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/" }, { "name": "FEDORA-2019-9538783033", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/" }, { "name": "[debian-lts-announce] 20191210 [SECURITY] [DLA 2028-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-18677", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins it should not be delivered to." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/squid-cache/squid/pull/427", "refsource": "MISC", "url": "https://github.com/squid-cache/squid/pull/427" }, { "name": "https://bugzilla.suse.com/show_bug.cgi?id=1156328", "refsource": "CONFIRM", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156328" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2019_9.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2019_9.txt" }, { "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.patch" }, { "name": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848dde570f7920873e1071f96e0b4.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848dde570f7920873e1071f96e0b4.patch" }, { "name": "USN-4213-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4213-1/" }, { "name": "FEDORA-2019-0b16cbdd0e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/" }, { "name": "FEDORA-2019-9538783033", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/" }, { "name": "[debian-lts-announce] 20191210 [SECURITY] [DLA 2028-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html" }, { "name": "DSA-4682", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-18677", "datePublished": "2019-11-26T16:21:59", "dateReserved": "2019-11-04T00:00:00", "dateUpdated": "2024-08-05T01:54:14.540Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-18860
Vulnerability from cvelistv5
Published
2020-03-20 20:32
Modified
2024-08-05 02:02
Severity ?
EPSS score ?
Summary
Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi.
References
▼ | URL | Tags |
---|---|---|
https://github.com/squid-cache/squid/pull/504 | x_refsource_CONFIRM | |
https://github.com/squid-cache/squid/pull/505 | x_refsource_MISC | |
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html | vendor-advisory, x_refsource_SUSE | |
https://usn.ubuntu.com/4356-1/ | vendor-advisory, x_refsource_UBUNTU | |
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html | mailing-list, x_refsource_MLIST | |
https://www.debian.org/security/2020/dsa-4732 | vendor-advisory, x_refsource_DEBIAN |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T02:02:39.914Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/squid-cache/squid/pull/504" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/pull/505" }, { "name": "openSUSE-SU-2020:0623", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html" }, { "name": "USN-4356-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4356-1/" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "name": "DSA-4732", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4732" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-07-22T14:06:05", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/squid-cache/squid/pull/504" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/pull/505" }, { "name": "openSUSE-SU-2020:0623", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html" }, { "name": "USN-4356-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4356-1/" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "name": "DSA-4732", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4732" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-18860", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/squid-cache/squid/pull/504", "refsource": "CONFIRM", "url": "https://github.com/squid-cache/squid/pull/504" }, { "name": "https://github.com/squid-cache/squid/pull/505", "refsource": "MISC", "url": "https://github.com/squid-cache/squid/pull/505" }, { "name": "openSUSE-SU-2020:0623", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html" }, { "name": "USN-4356-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4356-1/" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "name": "DSA-4732", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4732" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-18860", "datePublished": "2020-03-20T20:32:16", "dateReserved": "2019-11-11T00:00:00", "dateUpdated": "2024-08-05T02:02:39.914Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-15049
Vulnerability from cvelistv5
Published
2020-06-30 17:55
Modified
2024-08-04 13:08
Severity ?
EPSS score ?
Summary
An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing "+\ "-" or an uncommon shell whitespace character prefix to the length field-value.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T13:08:21.396Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5" }, { "name": "FEDORA-2020-cbebc5617e", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/" }, { "name": "DSA-4732", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4732" }, { "name": "openSUSE-SU-2020:1346", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html" }, { "name": "openSUSE-SU-2020:1369", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html" }, { "name": "USN-4551-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4551-1/" }, { "name": "[debian-lts-announce] 20201002 [SECURITY] [DLA 2394-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210312-0001/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2020-06-26T00:00:00", "descriptions": [ { "lang": "en", "value": "An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing \"+\\ \"-\" or an uncommon shell whitespace character prefix to the length field-value." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-03-12T12:06:30", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5" }, { "name": "FEDORA-2020-cbebc5617e", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/" }, { "name": "DSA-4732", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4732" }, { "name": "openSUSE-SU-2020:1346", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html" }, { "name": "openSUSE-SU-2020:1369", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html" }, { "name": "USN-4551-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4551-1/" }, { "name": "[debian-lts-announce] 20201002 [SECURITY] [DLA 2394-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210312-0001/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-15049", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing \"+\\ \"-\" or an uncommon shell whitespace character prefix to the length field-value." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N", "version": "3.0" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch" }, { "name": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch" }, { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5", "refsource": "CONFIRM", "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5" }, { "name": "FEDORA-2020-cbebc5617e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/" }, { "name": "DSA-4732", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4732" }, { "name": "openSUSE-SU-2020:1346", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html" }, { "name": "openSUSE-SU-2020:1369", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html" }, { "name": "USN-4551-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4551-1/" }, { "name": "[debian-lts-announce] 20201002 [SECURITY] [DLA 2394-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html" }, { "name": "https://security.netapp.com/advisory/ntap-20210312-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210312-0001/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-15049", "datePublished": "2020-06-30T17:55:55", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2024-08-04T13:08:21.396Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-25111
Vulnerability from cvelistv5
Published
2024-03-06 18:14
Modified
2024-08-01 23:36
Severity ?
EPSS score ?
Summary
SQUID-2024:1 Denial of Service in HTTP Chunked Decoding
References
Impacted products
▼ | Vendor | Product |
---|---|---|
squid-cache | squid |
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:netapp:bluexp:-:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "bluexp", "vendor": "netapp", "versions": [ { "lessThan": "*", "status": "affected", "version": "0", "versionType": "custom" } ] }, { "cpes": [ "cpe:2.3:a:squid-cache:squid:3.5.27:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "squid", "vendor": "squid-cache", "versions": [ { "lessThan": "6.8", "status": "affected", "version": "3.5.27", "versionType": "custom" } ] }, { "cpes": [ "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "fedora", "vendor": "fedoraproject", "versions": [ { "status": "affected", "version": "38" } ] }, { "cpes": [ "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "fedora", "vendor": "fedoraproject", "versions": [ { "status": "affected", "version": "39" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-25111", "options": [ { "Exploitation": "poc" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-07-25T16:32:12.720279Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-25T16:34:20.389Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T23:36:21.702Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-72c2-c3wm-8qxc", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-72c2-c3wm-8qxc" }, { "name": "http://www.squid-cache.org/Versions/v6/SQUID-2024_1.patch", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v6/SQUID-2024_1.patch" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7R4KPSO3MQT3KAOZV7LC2GG3CYMCGK7H/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWQHRDRHDM5PQTU6BHH4C5KGL37X6TVI/" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20240605-0001/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "squid", "vendor": "squid-cache", "versions": [ { "status": "affected", "version": "\u003e= 3.5.27, \u003c 6.8" } ] } ], "descriptions": [ { "lang": "en", "value": "Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked decoder due to an uncontrolled recursion bug. This problem allows a remote attacker to cause Denial of Service when sending a crafted, chunked, encoded HTTP Message. This bug is fixed in Squid version 6.8. In addition, patches addressing this problem for the stable releases can be found in Squid\u0027s patch archives. There is no workaround for this issue." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-674", "description": "CWE-674: Uncontrolled Recursion", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-03-06T18:14:28.889Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-72c2-c3wm-8qxc", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-72c2-c3wm-8qxc" }, { "name": "http://www.squid-cache.org/Versions/v6/SQUID-2024_1.patch", "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v6/SQUID-2024_1.patch" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7R4KPSO3MQT3KAOZV7LC2GG3CYMCGK7H/" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWQHRDRHDM5PQTU6BHH4C5KGL37X6TVI/" }, { "url": "https://security.netapp.com/advisory/ntap-20240605-0001/" } ], "source": { "advisory": "GHSA-72c2-c3wm-8qxc", "discovery": "UNKNOWN" }, "title": "SQUID-2024:1 Denial of Service in HTTP Chunked Decoding" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-25111", "datePublished": "2024-03-06T18:14:28.889Z", "dateReserved": "2024-02-05T14:14:46.378Z", "dateUpdated": "2024-08-01T23:36:21.702Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-23638
Vulnerability from cvelistv5
Published
2024-01-23 23:23
Modified
2024-08-01 23:06
Severity ?
EPSS score ?
Summary
SQUID-2023:11 Denial of Service in Cache Manager
References
Impacted products
▼ | Vendor | Product |
---|---|---|
squid-cache | squid |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-01T23:06:25.310Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-j49p-553x-48rx", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-j49p-553x-48rx" }, { "name": "https://github.com/squid-cache/squid/commit/290ae202883ac28a48867079c2fb34c40efd382b", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/commit/290ae202883ac28a48867079c2fb34c40efd382b" }, { "name": "https://github.com/squid-cache/squid/commit/e8118a7381213f5cfcdeb4cec1d2d854bfd261c8", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/commit/e8118a7381213f5cfcdeb4cec1d2d854bfd261c8" }, { "name": "https://megamansec.github.io/Squid-Security-Audit/stream-assert.html", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://megamansec.github.io/Squid-Security-Audit/stream-assert.html" }, { "name": "http://www.squid-cache.org/Versions/v5/SQUID-2023_11.patch", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v5/SQUID-2023_11.patch" }, { "name": "http://www.squid-cache.org/Versions/v6/SQUID-2023_11.patch", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v6/SQUID-2023_11.patch" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20240208-0010/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7R4KPSO3MQT3KAOZV7LC2GG3CYMCGK7H/" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWQHRDRHDM5PQTU6BHH4C5KGL37X6TVI/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "squid", "vendor": "squid-cache", "versions": [ { "status": "affected", "version": "\u003c 6.6" } ] } ], "descriptions": [ { "lang": "en", "value": "Squid is a caching proxy for the Web. Due to an expired pointer reference bug, Squid prior to version 6.6 is vulnerable to a Denial of Service attack against Cache Manager error responses. This problem allows a trusted client to perform Denial of Service when generating error pages for Client Manager reports. Squid older than 5.0.5 have not been tested and should be assumed to be vulnerable. All Squid-5.x up to and including 5.9 are vulnerable. All Squid-6.x up to and including 6.5 are vulnerable. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid\u0027s patch archives. As a workaround, prevent access to Cache Manager using Squid\u0027s main access control: `http_access deny manager`." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-825", "description": "CWE-825: Expired Pointer Dereference", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-01-23T23:23:19.070Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-j49p-553x-48rx", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-j49p-553x-48rx" }, { "name": "https://github.com/squid-cache/squid/commit/290ae202883ac28a48867079c2fb34c40efd382b", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/commit/290ae202883ac28a48867079c2fb34c40efd382b" }, { "name": "https://github.com/squid-cache/squid/commit/e8118a7381213f5cfcdeb4cec1d2d854bfd261c8", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/commit/e8118a7381213f5cfcdeb4cec1d2d854bfd261c8" }, { "name": "https://megamansec.github.io/Squid-Security-Audit/stream-assert.html", "tags": [ "x_refsource_MISC" ], "url": "https://megamansec.github.io/Squid-Security-Audit/stream-assert.html" }, { "name": "http://www.squid-cache.org/Versions/v5/SQUID-2023_11.patch", "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v5/SQUID-2023_11.patch" }, { "name": "http://www.squid-cache.org/Versions/v6/SQUID-2023_11.patch", "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v6/SQUID-2023_11.patch" }, { "url": "https://security.netapp.com/advisory/ntap-20240208-0010/" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7R4KPSO3MQT3KAOZV7LC2GG3CYMCGK7H/" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWQHRDRHDM5PQTU6BHH4C5KGL37X6TVI/" } ], "source": { "advisory": "GHSA-j49p-553x-48rx", "discovery": "UNKNOWN" }, "title": "SQUID-2023:11 Denial of Service in Cache Manager" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-23638", "datePublished": "2024-01-23T23:23:19.070Z", "dateReserved": "2024-01-19T00:18:53.232Z", "dateUpdated": "2024-08-01T23:06:25.310Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-31808
Vulnerability from cvelistv5
Published
2021-05-27 00:00
Modified
2024-08-03 23:10
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T23:10:30.120Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf" }, { "tags": [ "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patch" }, { "name": "DSA-4924", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-4924" }, { "name": "FEDORA-2021-c0bec55ec7", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/" }, { "name": "FEDORA-2021-24af72ff2c", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/" }, { "name": "[debian-lts-announce] 20210614 [SECURITY] [DLA 2685-1] squid3 security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210716-0007/" }, { "name": "[oss-security] 20231011 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/11/3" }, { "name": "20231016 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list", "x_transferred" ], "url": "http://seclists.org/fulldisclosure/2023/Oct/14" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-17T04:06:16.573947", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf" }, { "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patch" }, { "name": "DSA-4924", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2021/dsa-4924" }, { "name": "FEDORA-2021-c0bec55ec7", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/" }, { "name": "FEDORA-2021-24af72ff2c", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/" }, { "name": "[debian-lts-announce] 20210614 [SECURITY] [DLA 2685-1] squid3 security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html" }, { "url": "https://security.netapp.com/advisory/ntap-20210716-0007/" }, { "name": "[oss-security] 20231011 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2023/10/11/3" }, { "name": "20231016 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": [ "mailing-list" ], "url": "http://seclists.org/fulldisclosure/2023/Oct/14" } ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-31808", "datePublished": "2021-05-27T00:00:00", "dateReserved": "2021-04-26T00:00:00", "dateUpdated": "2024-08-03T23:10:30.120Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2016-4555
Vulnerability from cvelistv5
Published
2016-05-10 19:00
Modified
2024-08-06 00:32
Severity ?
EPSS score ?
Summary
client_side_request.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via crafted Edge Side Includes (ESI) responses.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T00:32:25.838Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://bugs.squid-cache.org/show_bug.cgi?id=4455" }, { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_9.patch" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_9.patch" }, { "name": "USN-2995-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "name": "[oss-security] 20160506 Re: CVE Request: Squid HTTP caching proxy", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2016/05/06/5" }, { "name": "RHSA-2016:1140", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2016:1140" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "1035770", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1035770" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_9.txt" }, { "name": "RHSA-2016:1139", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2016:1139" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "[oss-security] 20160506 CVE Request: Squid HTTP caching proxy", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2016/05/06/3" }, { "name": "DSA-3625", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "http://www.debian.org/security/2016/dsa-3625" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2016-05-06T00:00:00", "descriptions": [ { "lang": "en", "value": "client_side_request.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via crafted Edge Side Includes (ESI) responses." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2016-11-28T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://bugs.squid-cache.org/show_bug.cgi?id=4455" }, { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_9.patch" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_9.patch" }, { "name": "USN-2995-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "name": "[oss-security] 20160506 Re: CVE Request: Squid HTTP caching proxy", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2016/05/06/5" }, { "name": "RHSA-2016:1140", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2016:1140" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "1035770", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1035770" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_9.txt" }, { "name": "RHSA-2016:1139", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2016:1139" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "[oss-security] 20160506 CVE Request: Squid HTTP caching proxy", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2016/05/06/3" }, { "name": "DSA-3625", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "http://www.debian.org/security/2016/dsa-3625" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-4555", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "client_side_request.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via crafted Edge Side Includes (ESI) responses." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://bugs.squid-cache.org/show_bug.cgi?id=4455", "refsource": "CONFIRM", "url": "http://bugs.squid-cache.org/show_bug.cgi?id=4455" }, { "name": "GLSA-201607-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201607-01" }, { "name": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_9.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_9.patch" }, { "name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html" }, { "name": "SUSE-SU-2016:1996", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_9.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_9.patch" }, { "name": "USN-2995-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2995-1" }, { "name": "[oss-security] 20160506 Re: CVE Request: Squid HTTP caching proxy", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/05/06/5" }, { "name": "RHSA-2016:1140", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:1140" }, { "name": "openSUSE-SU-2016:2081", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "1035770", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1035770" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2016_9.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2016_9.txt" }, { "name": "RHSA-2016:1139", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2016:1139" }, { "name": "SUSE-SU-2016:2089", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "[oss-security] 20160506 CVE Request: Squid HTTP caching proxy", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/05/06/3" }, { "name": "DSA-3625", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3625" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-4555", "datePublished": "2016-05-10T19:00:00", "dateReserved": "2016-05-06T00:00:00", "dateUpdated": "2024-08-06T00:32:25.838Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2016-2570
Vulnerability from cvelistv5
Published
2016-02-27 02:00
Modified
2024-08-05 23:32
Severity ?
EPSS score ?
Summary
The Edge Side Includes (ESI) parser in Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not check buffer limits during XML parsing, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a crafted XML document, related to esi/CustomParser.cc and esi/CustomParser.h.
References
▼ | URL | Tags |
---|---|---|
https://usn.ubuntu.com/3557-1/ | vendor-advisory, x_refsource_UBUNTU | |
https://security.gentoo.org/glsa/201607-01 | vendor-advisory, x_refsource_GENTOO | |
http://www.squid-cache.org/Advisories/SQUID-2016_2.txt | x_refsource_CONFIRM | |
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html | vendor-advisory, x_refsource_SUSE | |
http://www.squid-cache.org/Versions/v4/changesets/squid-4-14549.patch | x_refsource_CONFIRM | |
http://rhn.redhat.com/errata/RHSA-2016-2600.html | vendor-advisory, x_refsource_REDHAT | |
http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html | vendor-advisory, x_refsource_SUSE | |
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13993.patch | x_refsource_CONFIRM | |
http://www.openwall.com/lists/oss-security/2016/02/26/2 | mailing-list, x_refsource_MLIST | |
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html | vendor-advisory, x_refsource_SUSE | |
http://www.securitytracker.com/id/1035101 | vdb-entry, x_refsource_SECTRACK |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T23:32:20.956Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "USN-3557-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/3557-1/" }, { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_2.txt" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-14549.patch" }, { "name": "RHSA-2016:2600", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2016-2600.html" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13993.patch" }, { "name": "[oss-security] 20160226 Re: CVE request: Squid HTTP Caching Proxy multiple denial of service issues", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2016/02/26/2" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "1035101", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1035101" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2016-02-26T00:00:00", "descriptions": [ { "lang": "en", "value": "The Edge Side Includes (ESI) parser in Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not check buffer limits during XML parsing, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a crafted XML document, related to esi/CustomParser.cc and esi/CustomParser.h." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-03-15T09:57:02", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "USN-3557-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/3557-1/" }, { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_2.txt" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-14549.patch" }, { "name": "RHSA-2016:2600", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2016-2600.html" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13993.patch" }, { "name": "[oss-security] 20160226 Re: CVE request: Squid HTTP Caching Proxy multiple denial of service issues", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2016/02/26/2" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "1035101", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1035101" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-2570", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The Edge Side Includes (ESI) parser in Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not check buffer limits during XML parsing, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a crafted XML document, related to esi/CustomParser.cc and esi/CustomParser.h." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "USN-3557-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3557-1/" }, { "name": "GLSA-201607-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201607-01" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2016_2.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2016_2.txt" }, { "name": "SUSE-SU-2016:1996", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-14549.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-14549.patch" }, { "name": "RHSA-2016:2600", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-2600.html" }, { "name": "openSUSE-SU-2016:2081", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13993.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13993.patch" }, { "name": "[oss-security] 20160226 Re: CVE request: Squid HTTP Caching Proxy multiple denial of service issues", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/02/26/2" }, { "name": "SUSE-SU-2016:2089", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "1035101", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1035101" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-2570", "datePublished": "2016-02-27T02:00:00", "dateReserved": "2016-02-26T00:00:00", "dateUpdated": "2024-08-05T23:32:20.956Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2016-2390
Vulnerability from cvelistv5
Published
2016-04-19 21:00
Modified
2024-08-05 23:24
Severity ?
EPSS score ?
Summary
The FwdState::connectedToPeer method in FwdState.cc in Squid before 3.5.14 and 4.0.x before 4.0.6 does not properly handle SSL handshake errors when built with the --with-openssl option, which allows remote attackers to cause a denial of service (application crash) via a plaintext HTTP message.
References
▼ | URL | Tags |
---|---|---|
http://www.squid-cache.org/Advisories/SQUID-2016_1.txt | x_refsource_CONFIRM | |
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html | vendor-advisory, x_refsource_SUSE | |
http://www.securitytracker.com/id/1035045 | vdb-entry, x_refsource_SECTRACK | |
http://lists.squid-cache.org/pipermail/squid-announce/2016-February/000038.html | mailing-list, x_refsource_MLIST | |
http://lists.squid-cache.org/pipermail/squid-announce/2016-February/000037.html | mailing-list, x_refsource_MLIST | |
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html | vendor-advisory, x_refsource_SUSE | |
http://bugs.squid-cache.org/show_bug.cgi?id=4437 | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T23:24:49.262Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_1.txt" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "1035045", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1035045" }, { "name": "[squid-announce] 20160216 Squid 4.0.6 beta is available", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://lists.squid-cache.org/pipermail/squid-announce/2016-February/000038.html" }, { "name": "[squid-announce] 20160216 Squid 3.5.14 is available", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://lists.squid-cache.org/pipermail/squid-announce/2016-February/000037.html" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://bugs.squid-cache.org/show_bug.cgi?id=4437" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2016-02-13T00:00:00", "descriptions": [ { "lang": "en", "value": "The FwdState::connectedToPeer method in FwdState.cc in Squid before 3.5.14 and 4.0.x before 4.0.6 does not properly handle SSL handshake errors when built with the --with-openssl option, which allows remote attackers to cause a denial of service (application crash) via a plaintext HTTP message." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2016-11-25T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_1.txt" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "1035045", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1035045" }, { "name": "[squid-announce] 20160216 Squid 4.0.6 beta is available", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://lists.squid-cache.org/pipermail/squid-announce/2016-February/000038.html" }, { "name": "[squid-announce] 20160216 Squid 3.5.14 is available", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://lists.squid-cache.org/pipermail/squid-announce/2016-February/000037.html" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://bugs.squid-cache.org/show_bug.cgi?id=4437" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-2390", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "The FwdState::connectedToPeer method in FwdState.cc in Squid before 3.5.14 and 4.0.x before 4.0.6 does not properly handle SSL handshake errors when built with the --with-openssl option, which allows remote attackers to cause a denial of service (application crash) via a plaintext HTTP message." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://www.squid-cache.org/Advisories/SQUID-2016_1.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2016_1.txt" }, { "name": "SUSE-SU-2016:1996", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "1035045", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1035045" }, { "name": "[squid-announce] 20160216 Squid 4.0.6 beta is available", "refsource": "MLIST", "url": "http://lists.squid-cache.org/pipermail/squid-announce/2016-February/000038.html" }, { "name": "[squid-announce] 20160216 Squid 3.5.14 is available", "refsource": "MLIST", "url": "http://lists.squid-cache.org/pipermail/squid-announce/2016-February/000037.html" }, { "name": "SUSE-SU-2016:2089", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "http://bugs.squid-cache.org/show_bug.cgi?id=4437", "refsource": "CONFIRM", "url": "http://bugs.squid-cache.org/show_bug.cgi?id=4437" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-2390", "datePublished": "2016-04-19T21:00:00", "dateReserved": "2016-02-16T00:00:00", "dateUpdated": "2024-08-05T23:24:49.262Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-12523
Vulnerability from cvelistv5
Published
2019-11-26 16:39
Modified
2024-08-04 23:24
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid before 4.9. When handling a URN request, a corresponding HTTP request is made. This HTTP request doesn't go through the access checks that incoming HTTP requests go through. This causes all access checks to be bypassed and allows access to restricted HTTP servers, e.g., an attacker can connect to HTTP servers that only listen on localhost.
References
▼ | URL | Tags |
---|---|---|
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html | x_refsource_CONFIRM | |
http://www.squid-cache.org/Advisories/SQUID-2019_8.txt | x_refsource_CONFIRM | |
https://bugzilla.suse.com/show_bug.cgi?id=1156329 | x_refsource_CONFIRM | |
https://usn.ubuntu.com/4213-1/ | vendor-advisory, x_refsource_UBUNTU | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/ | vendor-advisory, x_refsource_FEDORA | |
https://www.debian.org/security/2020/dsa-4682 | vendor-advisory, x_refsource_DEBIAN | |
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html | mailing-list, x_refsource_MLIST | |
https://usn.ubuntu.com/4446-1/ | vendor-advisory, x_refsource_UBUNTU |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:24:39.198Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2019_8.txt" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156329" }, { "name": "USN-4213-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4213-1/" }, { "name": "FEDORA-2019-0b16cbdd0e", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/" }, { "name": "FEDORA-2019-9538783033", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "name": "USN-4446-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4446-1/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid before 4.9. When handling a URN request, a corresponding HTTP request is made. This HTTP request doesn\u0027t go through the access checks that incoming HTTP requests go through. This causes all access checks to be bypassed and allows access to restricted HTTP servers, e.g., an attacker can connect to HTTP servers that only listen on localhost." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-08-05T19:06:08", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2019_8.txt" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156329" }, { "name": "USN-4213-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4213-1/" }, { "name": "FEDORA-2019-0b16cbdd0e", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/" }, { "name": "FEDORA-2019-9538783033", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "name": "USN-4446-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4446-1/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-12523", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid before 4.9. When handling a URN request, a corresponding HTTP request is made. This HTTP request doesn\u0027t go through the access checks that incoming HTTP requests go through. This causes all access checks to be bypassed and allows access to restricted HTTP servers, e.g., an attacker can connect to HTTP servers that only listen on localhost." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html", "refsource": "CONFIRM", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2019_8.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2019_8.txt" }, { "name": "https://bugzilla.suse.com/show_bug.cgi?id=1156329", "refsource": "CONFIRM", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156329" }, { "name": "USN-4213-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4213-1/" }, { "name": "FEDORA-2019-0b16cbdd0e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/" }, { "name": "FEDORA-2019-9538783033", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/" }, { "name": "DSA-4682", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "name": "USN-4446-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4446-1/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-12523", "datePublished": "2019-11-26T16:39:59", "dateReserved": "2019-06-02T00:00:00", "dateUpdated": "2024-08-04T23:24:39.198Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2016-3948
Vulnerability from cvelistv5
Published
2016-04-07 18:00
Modified
2024-08-06 00:10
Severity ?
EPSS score ?
Summary
Squid 3.x before 3.5.16 and 4.x before 4.0.8 improperly perform bounds checking, which allows remote attackers to cause a denial of service via a crafted HTTP response, related to Vary headers.
References
▼ | URL | Tags |
---|---|---|
https://usn.ubuntu.com/3557-1/ | vendor-advisory, x_refsource_UBUNTU | |
https://security.gentoo.org/glsa/201607-01 | vendor-advisory, x_refsource_GENTOO | |
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14016.patch | x_refsource_CONFIRM | |
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html | vendor-advisory, x_refsource_SUSE | |
http://rhn.redhat.com/errata/RHSA-2016-2600.html | vendor-advisory, x_refsource_REDHAT | |
http://www.securitytracker.com/id/1035458 | vdb-entry, x_refsource_SECTRACK | |
http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html | vendor-advisory, x_refsource_SUSE | |
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html | vendor-advisory, x_refsource_SUSE | |
http://www.squid-cache.org/Advisories/SQUID-2016_4.txt | x_refsource_CONFIRM |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T00:10:31.913Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "USN-3557-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/3557-1/" }, { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14016.patch" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "RHSA-2016:2600", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2016-2600.html" }, { "name": "1035458", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id/1035458" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_4.txt" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2016-04-02T00:00:00", "descriptions": [ { "lang": "en", "value": "Squid 3.x before 3.5.16 and 4.x before 4.0.8 improperly perform bounds checking, which allows remote attackers to cause a denial of service via a crafted HTTP response, related to Vary headers." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2018-03-15T09:57:02", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "USN-3557-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/3557-1/" }, { "name": "GLSA-201607-01", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/201607-01" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14016.patch" }, { "name": "SUSE-SU-2016:1996", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "RHSA-2016:2600", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2016-2600.html" }, { "name": "1035458", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id/1035458" }, { "name": "openSUSE-SU-2016:2081", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "SUSE-SU-2016:2089", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2016_4.txt" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-3948", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Squid 3.x before 3.5.16 and 4.x before 4.0.8 improperly perform bounds checking, which allows remote attackers to cause a denial of service via a crafted HTTP response, related to Vary headers." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "USN-3557-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3557-1/" }, { "name": "GLSA-201607-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201607-01" }, { "name": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14016.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14016.patch" }, { "name": "SUSE-SU-2016:1996", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html" }, { "name": "RHSA-2016:2600", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-2600.html" }, { "name": "1035458", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1035458" }, { "name": "openSUSE-SU-2016:2081", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html" }, { "name": "SUSE-SU-2016:2089", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2016_4.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2016_4.txt" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-3948", "datePublished": "2016-04-07T18:00:00", "dateReserved": "2016-04-01T00:00:00", "dateUpdated": "2024-08-06T00:10:31.913Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-24606
Vulnerability from cvelistv5
Published
2020-08-24 17:06
Modified
2024-08-04 15:19
Severity ?
EPSS score ?
Summary
Squid before 4.13 and 5.x before 5.0.4 allows a trusted peer to perform Denial of Service by consuming all available CPU cycles during handling of a crafted Cache Digest response message. This only occurs when cache_peer is used with the cache digests feature. The problem exists because peerDigestHandleReply() livelocking in peer_digest.cc mishandles EOF.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T15:19:08.544Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_9.patch" }, { "name": "DSA-4751", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4751" }, { "name": "USN-4477-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4477-1/" }, { "name": "FEDORA-2020-73af8655eb", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJJDI7JQFGQLVNCKMVY64LAFMKERAOK7/" }, { "name": "FEDORA-2020-63f3bd656e", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMTFLVB7GLRF2CKGFPZ4G4R5DIIPHWI3/" }, { "name": "openSUSE-SU-2020:1346", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html" }, { "name": "openSUSE-SU-2020:1369", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html" }, { "name": "FEDORA-2020-6c58bff862", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2/" }, { "name": "USN-4551-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4551-1/" }, { "name": "[debian-lts-announce] 20201002 [SECURITY] [DLA 2394-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210219-0007/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210226-0007/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210226-0006/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "Squid before 4.13 and 5.x before 5.0.4 allows a trusted peer to perform Denial of Service by consuming all available CPU cycles during handling of a crafted Cache Digest response message. This only occurs when cache_peer is used with the cache digests feature. The problem exists because peerDigestHandleReply() livelocking in peer_digest.cc mishandles EOF." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:N/I:N/PR:N/S:C/UI:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-02-26T08:06:41", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg" }, { "tags": [ "x_refsource_MISC" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_9.patch" }, { "name": "DSA-4751", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4751" }, { "name": "USN-4477-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4477-1/" }, { "name": "FEDORA-2020-73af8655eb", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJJDI7JQFGQLVNCKMVY64LAFMKERAOK7/" }, { "name": "FEDORA-2020-63f3bd656e", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMTFLVB7GLRF2CKGFPZ4G4R5DIIPHWI3/" }, { "name": "openSUSE-SU-2020:1346", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html" }, { "name": "openSUSE-SU-2020:1369", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html" }, { "name": "FEDORA-2020-6c58bff862", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2/" }, { "name": "USN-4551-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4551-1/" }, { "name": "[debian-lts-announce] 20201002 [SECURITY] [DLA 2394-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210219-0007/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210226-0007/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210226-0006/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-24606", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Squid before 4.13 and 5.x before 5.0.4 allows a trusted peer to perform Denial of Service by consuming all available CPU cycles during handling of a crafted Cache Digest response message. This only occurs when cache_peer is used with the cache digests feature. The problem exists because peerDigestHandleReply() livelocking in peer_digest.cc mishandles EOF." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:N/I:N/PR:N/S:C/UI:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg", "refsource": "MISC", "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg" }, { "name": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_9.patch", "refsource": "MISC", "url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_9.patch" }, { "name": "DSA-4751", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4751" }, { "name": "USN-4477-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4477-1/" }, { "name": "FEDORA-2020-73af8655eb", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJJDI7JQFGQLVNCKMVY64LAFMKERAOK7/" }, { "name": "FEDORA-2020-63f3bd656e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMTFLVB7GLRF2CKGFPZ4G4R5DIIPHWI3/" }, { "name": "openSUSE-SU-2020:1346", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html" }, { "name": "openSUSE-SU-2020:1369", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html" }, { "name": "FEDORA-2020-6c58bff862", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2/" }, { "name": "USN-4551-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4551-1/" }, { "name": "[debian-lts-announce] 20201002 [SECURITY] [DLA 2394-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html" }, { "name": "https://security.netapp.com/advisory/ntap-20210219-0007/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210219-0007/" }, { "name": "https://security.netapp.com/advisory/ntap-20210226-0007/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210226-0007/" }, { "name": "https://security.netapp.com/advisory/ntap-20210226-0006/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210226-0006/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-24606", "datePublished": "2020-08-24T17:06:24", "dateReserved": "2020-08-24T00:00:00", "dateUpdated": "2024-08-04T15:19:08.544Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2009-2622
Vulnerability from cvelistv5
Published
2009-07-28 17:00
Modified
2024-08-07 05:59
Severity ?
EPSS score ?
Summary
Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 allows remote attackers to cause a denial of service via malformed requests including (1) "missing or mismatched protocol identifier," (2) missing or negative status value," (3) "missing version," or (4) "missing or invalid status number," related to (a) HttpMsg.cc and (b) HttpReply.cc.
References
▼ | URL | Tags |
---|---|---|
http://www.securitytracker.com/id?1022607 | vdb-entry, x_refsource_SECTRACK | |
http://www.squid-cache.org/Versions/v3/3.1/changesets/b9661.patch | x_refsource_CONFIRM | |
http://www.securityfocus.com/bid/35812 | vdb-entry, x_refsource_BID | |
http://www.vupen.com/english/advisories/2009/2013 | vdb-entry, x_refsource_VUPEN | |
http://secunia.com/advisories/36007 | third-party-advisory, x_refsource_SECUNIA | |
http://www.squid-cache.org/Advisories/SQUID-2009_2.txt | x_refsource_CONFIRM | |
http://www.mandriva.com/security/advisories?name=MDVSA-2009:161 | vendor-advisory, x_refsource_MANDRIVA | |
http://www.mandriva.com/security/advisories?name=MDVSA-2009:178 | vendor-advisory, x_refsource_MANDRIVA |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-07T05:59:56.150Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "1022607", "tags": [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred" ], "url": "http://www.securitytracker.com/id?1022607" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/b9661.patch" }, { "name": "35812", "tags": [ "vdb-entry", "x_refsource_BID", "x_transferred" ], "url": "http://www.securityfocus.com/bid/35812" }, { "name": "ADV-2009-2013", "tags": [ "vdb-entry", "x_refsource_VUPEN", "x_transferred" ], "url": "http://www.vupen.com/english/advisories/2009/2013" }, { "name": "36007", "tags": [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred" ], "url": "http://secunia.com/advisories/36007" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2009_2.txt" }, { "name": "MDVSA-2009:161", "tags": [ "vendor-advisory", "x_refsource_MANDRIVA", "x_transferred" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:161" }, { "name": "MDVSA-2009:178", "tags": [ "vendor-advisory", "x_refsource_MANDRIVA", "x_transferred" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:178" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2009-07-27T00:00:00", "descriptions": [ { "lang": "en", "value": "Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 allows remote attackers to cause a denial of service via malformed requests including (1) \"missing or mismatched protocol identifier,\" (2) missing or negative status value,\" (3) \"missing version,\" or (4) \"missing or invalid status number,\" related to (a) HttpMsg.cc and (b) HttpReply.cc." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2009-08-07T09:00:00", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc" }, "references": [ { "name": "1022607", "tags": [ "vdb-entry", "x_refsource_SECTRACK" ], "url": "http://www.securitytracker.com/id?1022607" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/b9661.patch" }, { "name": "35812", "tags": [ "vdb-entry", "x_refsource_BID" ], "url": "http://www.securityfocus.com/bid/35812" }, { "name": "ADV-2009-2013", "tags": [ "vdb-entry", "x_refsource_VUPEN" ], "url": "http://www.vupen.com/english/advisories/2009/2013" }, { "name": "36007", "tags": [ "third-party-advisory", "x_refsource_SECUNIA" ], "url": "http://secunia.com/advisories/36007" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2009_2.txt" }, { "name": "MDVSA-2009:161", "tags": [ "vendor-advisory", "x_refsource_MANDRIVA" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:161" }, { "name": "MDVSA-2009:178", "tags": [ "vendor-advisory", "x_refsource_MANDRIVA" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:178" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cert@cert.org", "ID": "CVE-2009-2622", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Squid 3.0 through 3.0.STABLE16 and 3.1 through 3.1.0.11 allows remote attackers to cause a denial of service via malformed requests including (1) \"missing or mismatched protocol identifier,\" (2) missing or negative status value,\" (3) \"missing version,\" or (4) \"missing or invalid status number,\" related to (a) HttpMsg.cc and (b) HttpReply.cc." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "1022607", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1022607" }, { "name": "http://www.squid-cache.org/Versions/v3/3.1/changesets/b9661.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v3/3.1/changesets/b9661.patch" }, { "name": "35812", "refsource": "BID", "url": "http://www.securityfocus.com/bid/35812" }, { "name": "ADV-2009-2013", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2009/2013" }, { "name": "36007", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/36007" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2009_2.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2009_2.txt" }, { "name": "MDVSA-2009:161", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:161" }, { "name": "MDVSA-2009:178", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:178" } ] } } } }, "cveMetadata": { "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2009-2622", "datePublished": "2009-07-28T17:00:00", "dateReserved": "2009-07-28T00:00:00", "dateUpdated": "2024-08-07T05:59:56.150Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-46848
Vulnerability from cvelistv5
Published
2023-11-03 07:58
Modified
2024-11-06 14:44
Severity ?
EPSS score ?
Summary
Squid: denial of service in ftp
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/errata/RHSA-2023:6266 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2023:6268 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2023:6748 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/security/cve/CVE-2023-46848 | vdb-entry, x_refsource_REDHAT | |
https://bugzilla.redhat.com/show_bug.cgi?id=2245919 | issue-tracking, x_refsource_REDHAT | |
https://github.com/squid-cache/squid/security/advisories/GHSA-2g3c-pg7q-g59w |
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T20:53:21.945Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2023:6266", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:6266" }, { "name": "RHSA-2023:6268", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:6268" }, { "name": "RHSA-2023:6748", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/errata/RHSA-2023:6748" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT", "x_transferred" ], "url": "https://access.redhat.com/security/cve/CVE-2023-46848" }, { "name": "RHBZ#2245919", "tags": [ "issue-tracking", "x_refsource_REDHAT", "x_transferred" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245919" }, { "tags": [ "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-2g3c-pg7q-g59w" }, { "tags": [ "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20231214-0005/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "collectionURL": "https://github.com/squid-cache/squid", "defaultStatus": "unaffected", "packageName": "squid", "versions": [ { "lessThan": "6.4", "status": "affected", "version": "5.0.3", "versionType": "semver" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "packageName": "squid", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "7:5.5-5.el9_2.1", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "packageName": "squid", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "7:5.5-6.el9_3.1", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/a:redhat:rhel_eus:9.0::appstream" ], "defaultStatus": "affected", "packageName": "squid", "product": "Red Hat Enterprise Linux 9.0 Extended Update Support", "vendor": "Red Hat", "versions": [ { "lessThan": "*", "status": "unaffected", "version": "7:5.2-1.el9_0.3", "versionType": "rpm" } ] }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:6" ], "defaultStatus": "unaffected", "packageName": "squid", "product": "Red Hat Enterprise Linux 6", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:7" ], "defaultStatus": "unaffected", "packageName": "squid", "product": "Red Hat Enterprise Linux 7", "vendor": "Red Hat" }, { "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "cpes": [ "cpe:/o:redhat:enterprise_linux:8" ], "defaultStatus": "unaffected", "packageName": "squid:4/squid", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat" } ], "datePublic": "2023-10-19T00:00:00+00:00", "descriptions": [ { "lang": "en", "value": "Squid is vulnerable to Denial of Service, where a remote attacker can perform DoS by sending ftp:// URLs in HTTP Request messages or constructing ftp:// URLs from FTP Native input." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-681", "description": "Incorrect Conversion between Numeric Types", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-06T14:44:15.846Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2023:6266", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:6266" }, { "name": "RHSA-2023:6268", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:6268" }, { "name": "RHSA-2023:6748", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2023:6748" }, { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2023-46848" }, { "name": "RHBZ#2245919", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245919" }, { "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-2g3c-pg7q-g59w" } ], "timeline": [ { "lang": "en", "time": "2023-10-24T00:00:00+00:00", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2023-10-19T00:00:00+00:00", "value": "Made public." } ], "title": "Squid: denial of service in ftp", "x_redhatCweChain": "CWE-400-\u003eCWE-681: Uncontrolled Resource Consumption leads to Incorrect Conversion between Numeric Types" } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2023-46848", "datePublished": "2023-11-03T07:58:05.613Z", "dateReserved": "2023-10-27T08:36:38.158Z", "dateUpdated": "2024-11-06T14:44:15.846Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-15810
Vulnerability from cvelistv5
Published
2020-09-02 16:34
Modified
2024-08-04 13:30
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Smuggling attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the proxy cache and any downstream caches with content from an arbitrary source. When configured for relaxed header parsing (the default), Squid relays headers containing whitespace characters to upstream servers. When this occurs as a prefix to a Content-Length header, the frame length specified will be ignored by Squid (allowing for a conflicting length to be used from another Content-Length header) but relayed upstream.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T13:30:21.842Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m" }, { "name": "DSA-4751", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4751" }, { "name": "USN-4477-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4477-1/" }, { "name": "FEDORA-2020-73af8655eb", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJJDI7JQFGQLVNCKMVY64LAFMKERAOK7/" }, { "name": "FEDORA-2020-63f3bd656e", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMTFLVB7GLRF2CKGFPZ4G4R5DIIPHWI3/" }, { "name": "openSUSE-SU-2020:1346", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html" }, { "name": "openSUSE-SU-2020:1369", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html" }, { "name": "FEDORA-2020-6c58bff862", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2/" }, { "name": "USN-4551-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4551-1/" }, { "name": "[debian-lts-announce] 20201002 [SECURITY] [DLA 2394-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210219-0007/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210226-0007/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210226-0006/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Smuggling attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the proxy cache and any downstream caches with content from an arbitrary source. When configured for relaxed header parsing (the default), Squid relays headers containing whitespace characters to upstream servers. When this occurs as a prefix to a Content-Length header, the frame length specified will be ignored by Squid (allowing for a conflicting length to be used from another Content-Length header) but relayed upstream." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-02-26T08:06:39", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m" }, { "name": "DSA-4751", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4751" }, { "name": "USN-4477-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4477-1/" }, { "name": "FEDORA-2020-73af8655eb", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJJDI7JQFGQLVNCKMVY64LAFMKERAOK7/" }, { "name": "FEDORA-2020-63f3bd656e", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMTFLVB7GLRF2CKGFPZ4G4R5DIIPHWI3/" }, { "name": "openSUSE-SU-2020:1346", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html" }, { "name": "openSUSE-SU-2020:1369", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html" }, { "name": "FEDORA-2020-6c58bff862", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2/" }, { "name": "USN-4551-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4551-1/" }, { "name": "[debian-lts-announce] 20201002 [SECURITY] [DLA 2394-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210219-0007/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210226-0007/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210226-0006/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-15810", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Smuggling attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the proxy cache and any downstream caches with content from an arbitrary source. When configured for relaxed header parsing (the default), Squid relays headers containing whitespace characters to upstream servers. When this occurs as a prefix to a Content-Length header, the frame length specified will be ignored by Squid (allowing for a conflicting length to be used from another Content-Length header) but relayed upstream." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m", "refsource": "MISC", "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m" }, { "name": "DSA-4751", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4751" }, { "name": "USN-4477-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4477-1/" }, { "name": "FEDORA-2020-73af8655eb", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJJDI7JQFGQLVNCKMVY64LAFMKERAOK7/" }, { "name": "FEDORA-2020-63f3bd656e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMTFLVB7GLRF2CKGFPZ4G4R5DIIPHWI3/" }, { "name": "openSUSE-SU-2020:1346", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html" }, { "name": "openSUSE-SU-2020:1369", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html" }, { "name": "FEDORA-2020-6c58bff862", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2/" }, { "name": "USN-4551-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4551-1/" }, { "name": "[debian-lts-announce] 20201002 [SECURITY] [DLA 2394-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html" }, { "name": "https://security.netapp.com/advisory/ntap-20210219-0007/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210219-0007/" }, { "name": "https://security.netapp.com/advisory/ntap-20210226-0007/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210226-0007/" }, { "name": "https://security.netapp.com/advisory/ntap-20210226-0006/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210226-0006/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-15810", "datePublished": "2020-09-02T16:34:04", "dateReserved": "2020-07-17T00:00:00", "dateUpdated": "2024-08-04T13:30:21.842Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-18676
Vulnerability from cvelistv5
Published
2019-11-26 16:23
Modified
2024-08-05 01:54
Severity ?
EPSS score ?
Summary
An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incorrect input validation, there is a heap-based buffer overflow that can result in Denial of Service to all clients using the proxy. Severity is high due to this vulnerability occurring before normal security checks; any remote client that can reach the proxy port can trivially perform the attack via a crafted URI scheme.
References
▼ | URL | Tags |
---|---|---|
https://github.com/squid-cache/squid/pull/275 | x_refsource_MISC | |
http://www.squid-cache.org/Advisories/SQUID-2019_8.txt | x_refsource_CONFIRM | |
https://bugzilla.suse.com/show_bug.cgi?id=1156329 | x_refsource_CONFIRM | |
http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch | x_refsource_CONFIRM | |
https://usn.ubuntu.com/4213-1/ | vendor-advisory, x_refsource_UBUNTU | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/ | vendor-advisory, x_refsource_FEDORA | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/ | vendor-advisory, x_refsource_FEDORA | |
https://www.debian.org/security/2020/dsa-4682 | vendor-advisory, x_refsource_DEBIAN | |
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html | mailing-list, x_refsource_MLIST | |
https://usn.ubuntu.com/4446-1/ | vendor-advisory, x_refsource_UBUNTU |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T01:54:14.482Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/squid-cache/squid/pull/275" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2019_8.txt" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156329" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch" }, { "name": "USN-4213-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4213-1/" }, { "name": "FEDORA-2019-0b16cbdd0e", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/" }, { "name": "FEDORA-2019-9538783033", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "name": "USN-4446-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred" ], "url": "https://usn.ubuntu.com/4446-1/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incorrect input validation, there is a heap-based buffer overflow that can result in Denial of Service to all clients using the proxy. Severity is high due to this vulnerability occurring before normal security checks; any remote client that can reach the proxy port can trivially perform the attack via a crafted URI scheme." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-08-05T19:06:07", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/squid-cache/squid/pull/275" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Advisories/SQUID-2019_8.txt" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156329" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch" }, { "name": "USN-4213-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4213-1/" }, { "name": "FEDORA-2019-0b16cbdd0e", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/" }, { "name": "FEDORA-2019-9538783033", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/" }, { "name": "DSA-4682", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "name": "USN-4446-1", "tags": [ "vendor-advisory", "x_refsource_UBUNTU" ], "url": "https://usn.ubuntu.com/4446-1/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-18676", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incorrect input validation, there is a heap-based buffer overflow that can result in Denial of Service to all clients using the proxy. Severity is high due to this vulnerability occurring before normal security checks; any remote client that can reach the proxy port can trivially perform the attack via a crafted URI scheme." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/squid-cache/squid/pull/275", "refsource": "MISC", "url": "https://github.com/squid-cache/squid/pull/275" }, { "name": "http://www.squid-cache.org/Advisories/SQUID-2019_8.txt", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Advisories/SQUID-2019_8.txt" }, { "name": "https://bugzilla.suse.com/show_bug.cgi?id=1156329", "refsource": "CONFIRM", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156329" }, { "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch", "refsource": "CONFIRM", "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch" }, { "name": "USN-4213-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4213-1/" }, { "name": "FEDORA-2019-0b16cbdd0e", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/" }, { "name": "FEDORA-2019-9538783033", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/" }, { "name": "DSA-4682", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4682" }, { "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html" }, { "name": "USN-4446-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4446-1/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-18676", "datePublished": "2019-11-26T16:23:49", "dateReserved": "2019-11-04T00:00:00", "dateUpdated": "2024-08-05T01:54:14.482Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }