ALT-PU-2021-2829-1

BDU:2021-01823

HIGH8.3

Уязвимость реализации конфигурации uri_whitespace прокси-сервера Squid, позволяющая нарушителю отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)

Published: 2021-04-06Modified: 2023-11-21

CVSS 3.xHIGH 8.3

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CVSS 2.0HIGH 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

References

CVE-2020-25097

BDU:2021-02728

MEDIUM6.5

Уязвимость прокси-сервера Squid, существующая из-за недостаточной проверки введенных пользователем данных при доставке ответов на запросы диапазона HTTP, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2021-06-01Modified: 2024-09-13

CVSS 3.xMEDIUM 6.5

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:C

References

CVE-2021-31808

BDU:2021-02729

MEDIUM6.5

Уязвимость прокси-сервера Squid, существующая из-за недостаточной проверки введенных пользователем данных при выполнении запросов диапазона HTTP, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2021-06-01Modified: 2023-11-21

CVSS 3.xMEDIUM 6.5

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:C

References

CVE-2021-31806

BDU:2021-02730

HIGH7.4

Уязвимость компонента Cache Manager API прокси-сервера Squid, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2021-06-01Modified: 2024-09-13

CVSS 3.xHIGH 7.4

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2021-28652

BDU:2021-02731

HIGH7.4

Уязвимость прокси-сервера Squid, существующая из-за недостаточной проверки ввода при обработке ответов HTTP, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2021-06-01Modified: 2022-10-17

CVSS 3.xHIGH 7.4

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2021-28662

BDU:2021-02732

HIGH7.4

Уязвимость прокси-сервера Squid, существующая из-за недостаточной проверки ввода при разрешении идентификаторов ресурсов «urn:», позволяющая нарушителю вызвать отказ в обслуживании

Published: 2021-06-01Modified: 2024-09-13

CVSS 3.xHIGH 7.4

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:C

References

CVE-2021-28651

BDU:2021-05158

MEDIUM6.5

Уязвимость прокси-сервера Squid, связанная с целочисленным переполнением, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2021-10-27Modified: 2023-11-21

CVSS 3.xMEDIUM 6.5

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:P

References

CVE-2021-31807

BDU:2021-05301

MEDIUM6.5

Уязвимость прокси-сервера Squid, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2021-11-02Modified: 2023-11-21

CVSS 3.xMEDIUM 6.5

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:P

References

CVE-2021-33620

BDU:2021-06197

MEDIUM6.5

Уязвимость прокси-сервера Squid, связанная с чтением за границами буфера, позволяющая нарушителю получить доступ к конфиденциальной информации

Published: 2021-12-17Modified: 2026-01-20

CVSS 3.xMEDIUM 6.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS 2.0MEDIUM 6.4

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:N

References

CVE-2021-28116

CVE-2020-25097

HIGH8.6

An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace configuration settings.

Published: 2021-03-19Modified: 2024-11-21

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS 3.xHIGH 8.6

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

References

CVE-2021-28116

MEDIUM5.3

Squid through 4.14 and 5.x through 5.0.5, in some configurations, allows information disclosure because of an out-of-bounds read in WCCP protocol data. This can be leveraged as part of a chain for remote code execution as nobody.

Published: 2021-03-09Modified: 2024-11-21

CVSS 2.0MEDIUM 4.3

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

CVE-2021-28651

HIGH7.5

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount of memory. However, there is an unspecified attack methodology that can easily trigger a large amount of memory consumption.

Published: 2021-05-27Modified: 2024-11-21

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2021-28652

MEDIUM4.9

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to incorrect parser validation, it allows a Denial of Service attack against the Cache Manager API. This allows a trusted client to trigger memory leaks that. over time, lead to a Denial of Service via an unspecified short query string. This attack is limited to clients with Cache Manager API access privilege.

Published: 2021-05-27Modified: 2024-11-21

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS 3.xMEDIUM 4.9

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

References

CVE-2021-28662

MEDIUM6.5

An issue was discovered in Squid 4.x before 4.15 and 5.x before 5.0.6. If a remote server sends a certain response header over HTTP or HTTPS, there is a denial of service. This header can plausibly occur in benign network traffic.

Published: 2021-05-27Modified: 2024-11-21

CVSS 2.0MEDIUM 4.3

CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

CVE-2021-31806

MEDIUM6.5

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a memory-management bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy) via HTTP Range request processing.

Published: 2021-05-27Modified: 2024-11-21

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

CVE-2021-31807

MEDIUM6.5

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. An integer overflow problem allows a remote server to achieve Denial of Service when delivering responses to HTTP Range requests. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent.

Published: 2021-06-08Modified: 2024-11-21

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

CVE-2021-31808

MEDIUM6.5

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this.

Published: 2021-05-27Modified: 2024-11-21

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

CVE-2021-33620

MEDIUM6.5

Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting availability to all clients) via an HTTP response. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent by the server.

Published: 2021-05-28Modified: 2024-11-21

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Package update squid in branch c9f2

Closed issues (18)

Уязвимость реализации конфигурации uri_whitespace прокси-сервера Squid, позволяющая нарушителю отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)

Уязвимость компонента Cache Manager API прокси-сервера Squid, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость прокси-сервера Squid, существующая из-за недостаточной проверки ввода при обработке ответов HTTP, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость прокси-сервера Squid, связанная с целочисленным переполнением, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость прокси-сервера Squid, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость прокси-сервера Squid, связанная с чтением за границами буфера, позволяющая нарушителю получить доступ к конфиденциальной информации

An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace configuration settings.

Squid through 4.14 and 5.x through 5.0.5, in some configurations, allows information disclosure because of an out-of-bounds read in WCCP protocol data. This can be leveraged as part of a chain for remote code execution as nobody.

An issue was discovered in Squid 4.x before 4.15 and 5.x before 5.0.6. If a remote server sends a certain response header over HTTP or HTTPS, there is a denial of service. This header can plausibly occur in benign network traffic.

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a memory-management bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy) via HTTP Range request processing.

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this.

Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting availability to all clients) via an HTTP response. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent by the server.