Product:

Squid

(Squid\-Cache)
Repositories

Unknown:

This might be proprietary software.

#Vulnerabilities 88
Date Id Summary Products Score Patch Annotated
2021-03-09 CVE-2021-28116 Squid through 4.14 and 5.x through 5.0.5, in some configurations, allows information disclosure because of an out-of-bounds read in WCCP protocol data. This can be leveraged as part of a chain for remote code execution as nobody. Debian_linux, Fedora, Squid 5.3
2012-12-20 CVE-2012-5643 CVE-2012-5643 squid: cachemgr.cgi memory usage DoS and memory leaks Squid N/A
2020-03-20 CVE-2019-18860 Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi. Ubuntu_linux, Debian_linux, Leap, Squid 6.1
2022-07-17 CVE-2021-46784 In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due to improper buffer management, a Denial of Service can occur when processing long Gopher server responses. Debian_linux, Squid 6.5
2022-12-25 CVE-2022-41318 A buffer over-read was discovered in libntlmauth in Squid 2.5 through 5.6. Due to incorrect integer-overflow protection, the SSPI and SMB authentication helpers are vulnerable to reading unintended memory locations. In some configurations, cleartext credentials from these locations are sent to a client. This is fixed in 5.7. Squid 7.5
2022-12-25 CVE-2022-41317 An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7. Squid 6.5
2021-05-27 CVE-2021-31808 An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this. Debian_linux, Fedora, Cloud_manager, Squid 6.5
2021-05-28 CVE-2021-33620 Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting availability to all clients) via an HTTP response. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent by the server. Debian_linux, Fedora, Squid 6.5
2020-06-30 CVE-2020-14058 An issue was discovered in Squid before 4.12 and 5.x before 5.0.3. Due to use of a potentially dangerous function, Squid and the default certificate validation helper are vulnerable to a Denial of Service when opening a TLS connection to an attacker-controlled server for HTTPS. This occurs because unrecognized error values are mapped to NULL, but later code expects that each error value is mapped to a valid error string. Fedora, Cloud_manager, Squid 7.5
2019-07-11 CVE-2019-12525 An issue was discovered in Squid 3.3.9 through 3.5.28 and 4.x through 4.7. When Squid is configured to use Digest authentication, it parses the header Proxy-Authorization. It searches for certain tokens such as domain, uri, and qop. Squid checks if this token's value starts with a quote and ends with one. If so, it performs a memcpy of its length minus 2. Squid never checks whether the value is just a single quote (which would satisfy its requirements), leading to a memcpy of its length minus 1. Ubuntu_linux, Debian_linux, Fedora, Leap, Squid 9.8