// For flags

CVE-2021-33620

squid: denial of service in HTTP response processing

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting availability to all clients) via an HTTP response. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent by the server.

Squid versiones anteriores a 4.15 y versiones 5.x anteriores a 5.0.6, permite a servidores remotos causar una denegación de servicio (afectando la disponibilidad para todos los clientes) por medio de una respuesta HTTP. El desencadenante del problema es un encabezado que puede esperarse que se presente en el tráfico HTTP sin ninguna intención maliciosa por parte del servidor

An input validation flaw was found in Squid. This issue could allow a remote server to perform a denial of service against all clients using the proxy when delivering HTTP response messages. The highest threat from this vulnerability is to system availability.

Joshua Rogers discovered that Squid incorrectly handled requests with the urn: scheme. A remote attacker could possibly use this issue to cause Squid to consume resources, leading to a denial of service. Joshua Rogers discovered that Squid incorrectly handled requests to the Cache Manager API. A remote attacker with access privileges could possibly use this issue to cause Squid to consume resources, leading to a denial of service. This issue was only addressed in Ubuntu 20.04 LTS, Ubuntu 20.10, and Ubuntu 21.04. Various other issues were also addressed.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-05-28 CVE Reserved
  • 2021-05-28 CVE Published
  • 2024-08-03 CVE Updated
  • 2025-05-22 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-20: Improper Input Validation
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Squid-cache
Search vendor "Squid-cache"
 Squid
Search vendor "Squid-cache" for product "Squid"
 < 4.15
Search vendor "Squid-cache" for product "Squid" and version " < 4.15"
-
Affected
Squid-cache
Search vendor "Squid-cache"
 Squid
Search vendor "Squid-cache" for product "Squid"
 >= 5.0 < 5.0.6
Search vendor "Squid-cache" for product "Squid" and version " >= 5.0 < 5.0.6"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 33
Search vendor "Fedoraproject" for product "Fedora" and version "33"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 34
Search vendor "Fedoraproject" for product "Fedora" and version "34"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected