CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 1CVE-2021-28652 – squid: denial of service issue in Cache Manager
https://notcve.org/view.php?id=CVE-2021-28652
26 May 2021 — An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to incorrect parser validation, it allows a Denial of Service attack against the Cache Manager API. This allows a trusted client to trigger memory leaks that. over time, lead to a Denial of Service via an unspecified short query string. This attack is limited to clients with Cache Manager API access privilege. Se detectó un problema en Squid versiones anteriores a 4.15 y versiones 5.x anteriores a 5.0.6. • http://seclists.org/fulldisclosure/2023/Oct/14 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 6.5EPSS: 13%CPEs: 5EXPL: 0CVE-2021-28662 – squid: denial of service in HTTP response processing
https://notcve.org/view.php?id=CVE-2021-28662
26 May 2021 — An issue was discovered in Squid 4.x before 4.15 and 5.x before 5.0.6. If a remote server sends a certain response header over HTTP or HTTPS, there is a denial of service. This header can plausibly occur in benign network traffic. Se detectó un problema en Squid versiones 4.x anteriores a 4.15 y versiones 5.x anteriores a 5.0.6. Si un servidor remoto envía un determinado encabezado de respuesta por medio de HTTP o HTTPS, ocurre una denegación de servicio. • http://seclists.org/fulldisclosure/2023/Oct/14 • CWE-20: Improper Input Validation CWE-116: Improper Encoding or Escaping of Output •
CVSS: 6.5EPSS: 82%CPEs: 7EXPL: 1CVE-2021-31806 – squid: improper input validation in HTTP Range header
https://notcve.org/view.php?id=CVE-2021-31806
26 May 2021 — An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a memory-management bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy) via HTTP Range request processing. Se detectó un problema en Squid versiones anteriores a 4.15 y versiones 5.x anteriores a 5.0.6. Debido a un bug de administración de la memoria, es vulnerable a un ataque de Denegación de Servicio (contra todos los clientes que usan el proxy) por medio del procesamiento de peticiones HTT... • https://packetstorm.news/files/id/180526 • CWE-20: Improper Input Validation CWE-116: Improper Encoding or Escaping of Output •
CVSS: 8.6EPSS: 0%CPEs: 7EXPL: 0CVE-2020-25097 – squid: improper input validation may allow a trusted client to perform HTTP request smuggling
https://notcve.org/view.php?id=CVE-2020-25097
19 Mar 2021 — An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace configuration settings. Se detectó un problema en Squid versiones hasta 4.13 y versiones 5.x hasta 5.0.4. Debido a una comprobación inapropiada de la entrada, permite a un cliente confiable llevar a cabo un Trafico No Autorizado de Petici... • http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_11.patch • CWE-20: Improper Input Validation CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 5.3EPSS: 10%CPEs: 6EXPL: 0CVE-2021-28116 – squid: out-of-bounds read in WCCP protocol data may lead to information disclosure
https://notcve.org/view.php?id=CVE-2021-28116
09 Mar 2021 — Squid through 4.14 and 5.x through 5.0.5, in some configurations, allows information disclosure because of an out-of-bounds read in WCCP protocol data. This can be leveraged as part of a chain for remote code execution as nobody. Squid versiones hasta 4.14 y 5.xa 5.0.5, en algunas configuraciones, permite la divulgación de información debido a una lectura fuera de límites en los datos del protocolo WCCP. Esto puede ser aprovechado como parte de una cadena para la ejecución remota de código como nobody ... • http://www.openwall.com/lists/oss-security/2021/10/04/1 • CWE-125: Out-of-bounds Read CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.6EPSS: 0%CPEs: 12EXPL: 0CVE-2020-15810 – squid: HTTP Request Smuggling could result in cache poisoning
https://notcve.org/view.php?id=CVE-2020-15810
27 Aug 2020 — An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Smuggling attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the proxy cache and any downstream caches with content from an arbitrary source. When configured for relaxed header parsing (the default), Squid relays headers containing whitespace characters to upstream servers. • http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 9.6EPSS: 0%CPEs: 12EXPL: 0CVE-2020-15811 – squid: HTTP Request Splitting could result in cache poisoning
https://notcve.org/view.php?id=CVE-2020-15811
27 Aug 2020 — An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Splitting attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the browser cache and any downstream caches with content from an arbitrary source. Squid uses a string search instead of parsing the Transfer-Encoding header to find chunked encoding. • http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') CWE-697: Incorrect Comparison •
CVSS: 8.6EPSS: 8%CPEs: 12EXPL: 0CVE-2020-24606 – squid: Improper input validation could result in a DoS
https://notcve.org/view.php?id=CVE-2020-24606
24 Aug 2020 — Squid before 4.13 and 5.x before 5.0.4 allows a trusted peer to perform Denial of Service by consuming all available CPU cycles during handling of a crafted Cache Digest response message. This only occurs when cache_peer is used with the cache digests feature. The problem exists because peerDigestHandleReply() livelocking in peer_digest.cc mishandles EOF. Squid versiones anteriores a 4.13 y versiones 5.x anteriores a 5.0.4, permite que un peer de confianza lleve a cabo una Denegación de Servicio mediante el... • http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html • CWE-20: Improper Input Validation CWE-667: Improper Locking •
CVSS: 7.7EPSS: 0%CPEs: 5EXPL: 0CVE-2020-14058 – squid: DoS in TLS handshake
https://notcve.org/view.php?id=CVE-2020-14058
30 Jun 2020 — An issue was discovered in Squid before 4.12 and 5.x before 5.0.3. Due to use of a potentially dangerous function, Squid and the default certificate validation helper are vulnerable to a Denial of Service when opening a TLS connection to an attacker-controlled server for HTTPS. This occurs because unrecognized error values are mapped to NULL, but later code expects that each error value is mapped to a valid error string. Se detectó un problema en Squid versiones anteriores a 4.12 y versiones 5.x anteriores ... • http://www.squid-cache.org/Advisories/SQUID-2020_6.txt • CWE-676: Use of Potentially Dangerous Function •
CVSS: 9.9EPSS: 18%CPEs: 14EXPL: 0CVE-2020-15049 – squid: Request smuggling and poisoning attack against the HTTP cache
https://notcve.org/view.php?id=CVE-2020-15049
30 Jun 2020 — An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing "+\ "-" or an uncommon shell whitespace character prefix to the length field-value. Se detectó un problema en el archivo http/ContentLengthInterpreter.cc en Squid versiones anteriores a 4.12 y versiones 5.x anteriores a 5.0.3. Un ataque de Trafico No Autoriza... • http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •