Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Squid
(Squid\-Cache)Repositories |
Unknown: This might be proprietary software. |
#Vulnerabilities | 88 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2021-03-09 | CVE-2021-28116 | Squid through 4.14 and 5.x through 5.0.5, in some configurations, allows information disclosure because of an out-of-bounds read in WCCP protocol data. This can be leveraged as part of a chain for remote code execution as nobody. | Debian_linux, Fedora, Squid | 5.3 | ||
2012-12-20 | CVE-2012-5643 | CVE-2012-5643 squid: cachemgr.cgi memory usage DoS and memory leaks | Squid | N/A | ||
2020-03-20 | CVE-2019-18860 | Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi. | Ubuntu_linux, Debian_linux, Leap, Squid | 6.1 | ||
2022-07-17 | CVE-2021-46784 | In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due to improper buffer management, a Denial of Service can occur when processing long Gopher server responses. | Debian_linux, Squid | 6.5 | ||
2022-12-25 | CVE-2022-41318 | A buffer over-read was discovered in libntlmauth in Squid 2.5 through 5.6. Due to incorrect integer-overflow protection, the SSPI and SMB authentication helpers are vulnerable to reading unintended memory locations. In some configurations, cleartext credentials from these locations are sent to a client. This is fixed in 5.7. | Squid | 7.5 | ||
2022-12-25 | CVE-2022-41317 | An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7. | Squid | 6.5 | ||
2021-05-27 | CVE-2021-31808 | An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this. | Debian_linux, Fedora, Cloud_manager, Squid | 6.5 | ||
2021-05-28 | CVE-2021-33620 | Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting availability to all clients) via an HTTP response. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent by the server. | Debian_linux, Fedora, Squid | 6.5 | ||
2020-06-30 | CVE-2020-14058 | An issue was discovered in Squid before 4.12 and 5.x before 5.0.3. Due to use of a potentially dangerous function, Squid and the default certificate validation helper are vulnerable to a Denial of Service when opening a TLS connection to an attacker-controlled server for HTTPS. This occurs because unrecognized error values are mapped to NULL, but later code expects that each error value is mapped to a valid error string. | Fedora, Cloud_manager, Squid | 7.5 | ||
2019-07-11 | CVE-2019-12525 | An issue was discovered in Squid 3.3.9 through 3.5.28 and 4.x through 4.7. When Squid is configured to use Digest authentication, it parses the header Proxy-Authorization. It searches for certain tokens such as domain, uri, and qop. Squid checks if this token's value starts with a quote and ends with one. If so, it performs a memcpy of its length minus 2. Squid never checks whether the value is just a single quote (which would satisfy its requirements), leading to a memcpy of its length minus 1. | Ubuntu_linux, Debian_linux, Fedora, Leap, Squid | 9.8 |