Published: 24/08/2020 Updated: 07/11/2023

CVSS v2 Base Score: 7.1 | Impact Score: 6.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 632

Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C

Squid prior to 4.13 and 5.x prior to 5.0.4 allows a trusted peer to perform Denial of Service by consuming all available CPU cycles during handling of a crafted Cache Digest response message. This only occurs when cache_peer is used with the cache digests feature. The problem exists because peerDigestHandleReply() livelocking in peer_digest.cc mishandles EOF.

Vulnerable Product	Search on Vulmon	Subscribe to Product
squid-cache squid
canonical ubuntu linux 16.04
canonical ubuntu linux 18.04
canonical ubuntu linux 20.04
debian debian linux 9.0
debian debian linux 10.0
fedoraproject fedora 31
fedoraproject fedora 32
fedoraproject fedora 33
opensuse leap 15.1
opensuse leap 15.2

Synopsis Important: squid security update Type/Severity Security Advisory: Important Topic An update for squid is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, whi ...

Synopsis Moderate: squid:4 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for the squid:4 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability ...

Several vulnerabilities were discovered in Squid, a fully featured web proxy cache, which could result in request splitting, request smuggling (leading to cache poisoning) and denial of service when processing crafted cache digest responses messages For the stable distribution (buster), these problems have been fixed in version 46-1+deb10u4 We r ...

An issue was discovered in Squid before 410 It allows a crafted FTP server to trigger disclosure of sensitive information from heap memory, such as information associated with other users' sessions or non-Squid processes (CVE-2019-12528) An issue was discovered in http/ContentLengthInterpretercc in Squid before 412 and 5x before 503 A Requ ...

A flaw was found in squid Due to incorrect data validation, a HTTP Request Smuggling attack against HTTP and HTTPS traffic is possible leading to cache poisoning The highest threat from this vulnerability is to data confidentiality and integrity (CVE-2020-15810) A flaw was found in squid Due to incorrect data validation, an HTTP Request Splitti ...

CWE-667 http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_9.patch https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg https://www.debian.org/security/2020/dsa-4751 https://usn.ubuntu.com/4477-1/http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html https://usn.ubuntu.com/4551-1/https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html https://security.netapp.com/advisory/ntap-20210219-0007/https://security.netapp.com/advisory/ntap-20210226-0006/https://security.netapp.com/advisory/ntap-20210226-0007/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJJDI7JQFGQLVNCKMVY64LAFMKERAOK7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMTFLVB7GLRF2CKGFPZ4G4R5DIIPHWI3/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2/https://access.redhat.com/errata/RHSA-2020:4082 https://nvd.nist.gov https://www.debian.org/security/2020/dsa-4751

CVE-2020-24606

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect