CVE-2024-25111

SQUID-2024:1 Denial of Service in HTTP Chunked Decoding

Severity Score

8.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked decoder due to an uncontrolled recursion bug. This problem allows a remote attacker to cause Denial of Service when sending a crafted, chunked, encoded HTTP Message. This bug is fixed in Squid version 6.8. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. There is no workaround for this issue.

Squid es un caché de proxy web. A partir de la versión 3.5.27 y antes de la versión 6.8, Squid puede ser vulnerable a un ataque de denegación de servicio contra el decodificador HTTP fragmentado debido a un error de recursividad no controlado. Este problema permite a un atacante remoto provocar una denegación de servicio al enviar un mensaje HTTP codificado, fragmentado y manipulado. Este error se solucionó en la versión 6.8 de Squid. Además, los parches que solucionan este problema para las versiones estables se pueden encontrar en los archivos de parches de Squid. No hay workaround para este problema.

A flaw was found in Squid. This issue may allow a remote attacker to trigger an uncontrolled recursion bug when sending a specially crafted, chunked, encoded HTTP Message, resulting in a denial of service.

*Credits: N/A

CVSS Scores

GitHubv3.1 8.6

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-05 CVE Reserved
2024-03-06 CVE Published
2024-04-25 EPSS Updated
2024-08-01 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-674: Uncontrolled Recursion

CAPEC

References (7)

URL	Tag	Source
http://www.squid-cache.org/Versions/v6/SQUID-2024_1.patch	X_refsource_misc
https://github.com/squid-cache/squid/security/advisories/GHSA-72c2-c3wm-8qxc	X_refsource_confirm
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7R4KPSO3MQT3KAOZV7LC2GG3CYMCGK7H
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWQHRDRHDM5PQTU6BHH4C5KGL37X6TVI
https://security.netapp.com/advisory/ntap-20240605-0001

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-25111	2024-05-13
https://bugzilla.redhat.com/show_bug.cgi?id=2268366	2024-05-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Squid-cache Search vendor "Squid-cache"		Squid Search vendor "Squid-cache" for product "Squid"				>= 3.5.27 < 6.8 Search vendor "Squid-cache" for product "Squid" and version " >= 3.5.27 < 6.8"		en		Affected