Buffer overflow and input validation flaws were found in the way Squid processed ESI responses. If Squid was used as a reverse proxy, or for TLS/HTTPS interception, a remote attacker able to control ESI components on an HTTP server could use these flaws to crash Squid, disclose parts of the stack memory, or possibly execute arbitrary code as the user running Squid.
Find out more about CVE-2016-4052 from the MITRE CVE dictionary dictionary and NIST NVD.
| Base Score | 5.1 |
|---|---|
| Base Metrics | AV:N/AC:H/Au:N/C:P/I:P/A:P |
| Access Vector | Network |
| Access Complexity | High |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 6 (squid) | RHSA-2016:1138 | 2016-05-31 |
| Red Hat Enterprise Linux 6 (squid34) | RHSA-2016:1140 | 2016-05-31 |
| Red Hat Enterprise Linux 7 (squid) | RHSA-2016:1139 | 2016-05-31 |
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 5 | squid | Not affected |
Vulmon