Page 6 of 103 results (0.004 seconds)

CVSS: 7.5EPSS: 1%CPEs: 7EXPL: 1

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount of memory. However, there is an unspecified attack methodology that can easily trigger a large amount of memory consumption. Se detectó un problema en Squid versiones anteriores a 4.15 y versiones 5.x anteriores a 5.0.6. • http://seclists.org/fulldisclosure/2023/Oct/14 http://www.openwall.com/lists/oss-security/2023/10/11/3 https://bugs.squid-cache.org/show_bug.cgi?id=5104 https://github.com/squid-cache/squid/security/advisories/GHSA-ch36-9jhx-phm4 https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraprojec • CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime •

CVSS: 8.6EPSS: 0%CPEs: 7EXPL: 0

An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace configuration settings. Se detectó un problema en Squid versiones hasta 4.13 y versiones 5.x hasta 5.0.4. Debido a una comprobación inapropiada de la entrada, permite a un cliente confiable llevar a cabo un Trafico No Autorizado de Peticiones HTTP y acceder a servicios que de otro modo estarían prohibidos por los controles de seguridad. • http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_11.patch http://www.squid-cache.org/Versions/v5/changesets/SQUID-2020_11.patch https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DJMDRVV677AJL4BZAOLCT5LMFCGBZTC2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FBXFWKIGXPERDVQXG556LLPUOCMQGERC https://lists.fedoraproject.org/archives/list/package-announc • CWE-20: Improper Input Validation CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •

CVSS: 5.3EPSS: 5%CPEs: 6EXPL: 0

Squid through 4.14 and 5.x through 5.0.5, in some configurations, allows information disclosure because of an out-of-bounds read in WCCP protocol data. This can be leveraged as part of a chain for remote code execution as nobody. Squid versiones hasta 4.14 y 5.xa 5.0.5, en algunas configuraciones, permite la divulgación de información debido a una lectura fuera de límites en los datos del protocolo WCCP. Esto puede ser aprovechado como parte de una cadena para la ejecución remota de código como nobody A flaw was found in squid. An out-of-bounds read in the WCCP protocol can be leveraged as part of a chain for remote code execution leading to an information disclosure. • http://www.openwall.com/lists/oss-security/2021/10/04/1 http://www.squid-cache.org/Versions https://github.com/squid-cache/squid/security/advisories/GHSA-rgf3-9v3p-qp82 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66 https://security.gentoo.org/glsa/202105-14 https://www.debian.org/security/2022/dsa-5171 https • CWE-125: Out-of-bounds Read CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 9.6EPSS: 0%CPEs: 12EXPL: 0

An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Smuggling attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the proxy cache and any downstream caches with content from an arbitrary source. When configured for relaxed header parsing (the default), Squid relays headers containing whitespace characters to upstream servers. • http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html https://github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMTFLVB7GLRF2C • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •

CVSS: 9.6EPSS: 0%CPEs: 12EXPL: 0

An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Splitting attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the browser cache and any downstream caches with content from an arbitrary source. Squid uses a string search instead of parsing the Transfer-Encoding header to find chunked encoding. • http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMTFLVB7GLRF2C • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') CWE-697: Incorrect Comparison •