VuXML ID | Description |
d5b6d151-1887-11e8-94f7-9c5c8e75236a | squid -- Vulnerable to Denial of Service attack
Louis Dion-Marcil reports:
Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses.
This problem allows a remote server delivering certain ESI
response syntax to trigger a denial of service for all clients
accessing the Squid service.
Due to unrelated changes Squid-3.5 has become vulnerable to some
regular ESI server responses also triggering this issue.
This problem is limited to the Squid custom ESI parser.
Squid built to use libxml2 or libexpat XML parsers do not have
this problem.
Due to incorrect pointer handling Squid is vulnerable to denial
of service attack when processing ESI responses or downloading
intermediate CA certificates.
This problem allows a remote client delivering certain HTTP
requests in conjunction with certain trusted server responses to
trigger a denial of service for all clients accessing the Squid
service.
Discovery 2017-12-13 Entry 2018-02-23 squid
< 3.5.27_3
squid-devel
< 4.0.23
http://www.squid-cache.org/Advisories/SQUID-2018_1.txt
http://www.squid-cache.org/Advisories/SQUID-2018_2.txt
CVE-2018-1000024
CVE-2018-1000027
https://www.debian.org/security/2018/dsa-4122
ports/226138
|
620685d6-0aa3-11ea-9673-4c72b94353b5 | squid -- Vulnerable to HTTP Digest Authentication
Squid Team reports:
Problem Description: Due to incorrect data management Squid is
vulnerable to a information disclosure when processing HTTP Digest
Authentication.
Severity: Nonce tokens contain the raw byte value of a pointer which sits
within heap memory allocation. This information reduces ASLR protections
and may aid attackers isolating memory areas to target for remote code
execution attacks.
Discovery 2019-11-05 Entry 2019-11-19 squid
< 4.9
http://www.squid-cache.org/Advisories/SQUID-2019_11.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18679
CVE-2019-18679
|
57c1c2ee-7914-11ea-90bf-0800276545c1 | Squid -- multiple vulnerabilities
The Squid developers reports:
Improper Input Validation issues in HTTP Request
processing (CVE-2020-8449, CVE-2020-8450).
Information Disclosure issue in FTP Gateway
(CVE-2019-12528).
Buffer Overflow issue in ext_lm_group_acl helper
(CVE-2020-8517).
Discovery 2020-02-10 Entry 2020-04-07 squid
< 4.10
http://lists.squid-cache.org/pipermail/squid-announce/2020-February/000107.html
https://nvd.nist.gov/vuln/detail/CVE-2020-8449
https://nvd.nist.gov/vuln/detail/CVE-2020-8450
https://nvd.nist.gov/vuln/detail/CVE-2019-12528
https://nvd.nist.gov/vuln/detail/CVE-2020-8517
CVE-2020-8449
CVE-2020-8450
CVE-2019-12528
CVE-2020-8517
ports/244026
|
f9ada0b5-3d80-11ed-9330-080027f5fec9 | squid -- Exposure of sensitive information in cache manager
Mikhail Evdokimov (aka konata) reports:
Due to inconsistent handling of internal URIs Squid is
vulnerable to Exposure of Sensitive Information about
clients using the proxy. This problem allows a trusted
client to directly access cache manager information
bypassing the manager ACL protection. The available cache
manager information contains records of internal network
structure, client credentials, client identity and client
traffic behaviour.
Discovery 2022-04-17 Entry 2022-09-26 squid
< 5.7
CVE-2022-41317
https://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq
|
41f8af15-c8b9-11e6-ae1b-002590263bf5 | squid -- multiple vulnerabilities
Squid security advisory 2016:10 reports:
Due to incorrect comparison of request headers Squid can deliver
responses containing private data to clients it should not have
reached.
This problem allows a remote attacker to discover private and
sensitive information about another clients browsing session.
Potentially including credentials which allow access to further
sensitive resources. This problem only affects Squid configured
to use the Collapsed Forwarding feature. It is of particular
importance for HTTPS reverse-proxy sites with Collapsed
Forwarding.
Squid security advisory 2016:11 reports:
Due to incorrect HTTP conditional request handling Squid can
deliver responses containing private data to clients it should not
have reached.
This problem allows a remote attacker to discover private and
sensitive information about another clients browsing session.
Potentially including credentials which allow access to further
sensitive resources..
Discovery 2016-12-16 Entry 2016-12-23 squid
ge 3.1 lt 3.5.23
squid-devel
ge 4.0 lt 4.0.17
CVE-2016-10002
CVE-2016-10003
ports/215416
ports/215418
http://www.squid-cache.org/Advisories/SQUID-2016_10.txt
http://www.squid-cache.org/Advisories/SQUID-2016_11.txt
|