Page 3 of 68 results (0.125 seconds)

CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0

Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. • http://www.squid-cache.org/Versions/v5/SQUID-2023_4.patch http://www.squid-cache.org/Versions/v6/SQUID-2023_4.patch https://github.com/squid-cache/squid/commit/b70f864940225dfe69f9f653f948e787f99c3810 https://github.com/squid-cache/squid/security/advisories/GHSA-73m6-jm96-c6r3 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC https: • CWE-125: Out-of-bounds Read CWE-129: Improper Validation of Array Index CWE-295: Improper Certificate Validation CWE-786: Access of Memory Location Before Start of Buffer CWE-823: Use of Out-of-range Pointer Offset CWE-1285: Improper Validation of Specified Index, Position, or Offset in Input •

CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0

A buffer over-read was discovered in libntlmauth in Squid 2.5 through 5.6. Due to incorrect integer-overflow protection, the SSPI and SMB authentication helpers are vulnerable to reading unintended memory locations. In some configurations, cleartext credentials from these locations are sent to a client. This is fixed in 5.7. Se descubrió una lectura excesiva del búfer en libntlmauth en Squid 2.5 a 5.6. • http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_2.patch http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_2.patch https://github.com/squid-cache/squid/security/advisories/GHSA-394c-rr7q-6g78 https://www.openwall.com/lists/oss-security/2022/09/23/2 https://access.redhat.com/security/cve/CVE-2022-41318 https://bugzilla.redhat.com/show_bug.cgi?id=2129771 • CWE-126: Buffer Over-read CWE-190: Integer Overflow or Wraparound •

CVSS: 7.5EPSS: 3%CPEs: 6EXPL: 0

In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due to improper buffer management, a Denial of Service can occur when processing long Gopher server responses. En Squid versiones 3.x hasta 3.5.28, versiones 4.x hasta 4.17 y versiones 5.x anteriores a 5.6, debido a una administración inapropiada del búfer, puede producirse una denegación de servicio cuando son procesadas respuestas largas del servidor Gopher A vulnerability was found in squid (Web proxy cache server). This issue occurs due to improper buffer management while processing Gopher server responses. This flaw leads to a remote denial of service or a crash if it receives specially crafted network traffic, either by mistake or a malicious actor. • http://www.openwall.com/lists/oss-security/2023/10/13/1 http://www.openwall.com/lists/oss-security/2023/10/13/10 http://www.openwall.com/lists/oss-security/2023/10/21/1 http://www.squid-cache.org/Versions/v4/changesets/SQUID-2021_7.patch http://www.squid-cache.org/Versions/v5/changesets/SQUID-2021_7.patch https://github.com/squid-cache/squid/commit/5e2ea2b13bd98f53e29964ca26bb0d602a8a12b9 https://github.com/squid-cache/squid/security/advisories/GHSA-f5cp-6rh3-284w https:/&# • CWE-617: Reachable Assertion •

CVSS: 6.5EPSS: 14%CPEs: 5EXPL: 0

Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting availability to all clients) via an HTTP response. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent by the server. Squid versiones anteriores a 4.15 y versiones 5.x anteriores a 5.0.6, permite a servidores remotos causar una denegación de servicio (afectando la disponibilidad para todos los clientes) por medio de una respuesta HTTP. El desencadenante del problema es un encabezado que puede esperarse que se presente en el tráfico HTTP sin ninguna intención maliciosa por parte del servidor An input validation flaw was found in Squid. This issue could allow a remote server to perform a denial of service against all clients using the proxy when delivering HTTP response messages. • http://seclists.org/fulldisclosure/2023/Oct/14 http://www.openwall.com/lists/oss-security/2023/10/11/3 http://www.squid-cache.org/Versions/v4/changesets/squid-4-1e05a85bd28c22c9ca5d3ac9f5e86d6269ec0a8c.patch http://www.squid-cache.org/Versions/v5/changesets/squid-5-8af775ed98bfd610f9ce762fe177e01b2675588c.patch https://github.com/squid-cache/squid/security/advisories/GHSA-572g-rvwr-6c7f https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html https://lists.fedoraproject.org/archives/list/package-a • CWE-20: Improper Input Validation •

CVSS: 6.5EPSS: 91%CPEs: 7EXPL: 0

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a memory-management bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy) via HTTP Range request processing. Se detectó un problema en Squid versiones anteriores a 4.15 y versiones 5.x anteriores a 5.0.6. Debido a un bug de administración de la memoria, es vulnerable a un ataque de Denegación de Servicio (contra todos los clientes que usan el proxy) por medio del procesamiento de peticiones HTTP Range An incorrect input validation flaw was found in Squid, where it is vulnerable to a denial of service attack against all clients using the proxy. The highest threat from this vulnerability is to system availability. • http://seclists.org/fulldisclosure/2023/Oct/14 http://www.openwall.com/lists/oss-security/2023/10/11/3 http://www.squid-cache.org/Versions/v4/changesets/squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patch https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF https://lists.fedoraproject.org/archive • CWE-20: Improper Input Validation CWE-116: Improper Encoding or Escaping of Output •