Product:

Squid

(Squid\-Cache)
Repositories

Unknown:

This might be proprietary software.

#Vulnerabilities 99
Date Id Summary Products Score Patch Annotated
2020-02-04 CVE-2020-8517 An issue was discovered in Squid before 4.10. Due to incorrect input validation, the NTLM authentication credentials parser in ext_lm_group_acl may write to memory outside the credentials buffer. On systems with memory access protections, this can result in the helper process being terminated unexpectedly. This leads to the Squid process also terminating and a denial of service for all clients using the proxy. Ubuntu_linux, Leap, Squid 7.5
2020-04-15 CVE-2019-12521 An issue was discovered in Squid through 4.7. When Squid is parsing ESI, it keeps the ESI elements in ESIContext. ESIContext contains a buffer for holding a stack of ESIElements. When a new ESIElement is parsed, it is added via addStackElement. addStackElement has a check for the number of elements in this buffer, but it's off by 1, leading to a Heap Overflow of 1 element. The overflow is within the same structure so it can't affect adjacent memory blocks, and thus just leads to a crash... Ubuntu_linux, Debian_linux, Leap, Squid 5.9
2020-06-30 CVE-2020-14059 An issue was discovered in Squid 5.x before 5.0.3. Due to an Incorrect Synchronization, a Denial of Service can occur when processing objects in an SMP cache because of an Ipc::Mem::PageStack::pop ABA problem during access to the memory page/slot management list. Squid 6.5
2020-04-15 CVE-2019-12522 An issue was discovered in Squid through 4.7. When Squid is run as root, it spawns its child processes as a lesser user, by default the user nobody. This is done via the leave_suid call. leave_suid leaves the Saved UID as 0. This makes it trivial for an attacker who has compromised the child process to escalate their privileges back to root. Squid 4.5
2020-04-15 CVE-2019-12520 An issue was discovered in Squid through 4.7 and 5. When receiving a request, Squid checks its cache to see if it can serve up a response. It does this by making a MD5 hash of the absolute URL of the request. If found, it servers the request. The absolute URL can include the decoded UserInfo (username and password) for certain protocols. This decoded info is prepended to the domain. This allows an attacker to provide a username that has special characters to delimit the domain, and treat the... Ubuntu_linux, Debian_linux, Squid 7.5
2020-04-15 CVE-2019-12519 An issue was discovered in Squid through 4.7. When handling the tag esi:when when ESI is enabled, Squid calls ESIExpression::Evaluate. This function uses a fixed stack buffer to hold the expression while it's being evaluated. When processing the expression, it could either evaluate the top of the stack, or add a new member to the stack. When adding a new member, there is no check to ensure that the stack won't overflow. Ubuntu_linux, Debian_linux, Leap, Squid 9.8
2020-04-15 CVE-2019-12524 An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the maintainer. This rule is implemented via url_regex. The handler for url_regex rules URL decodes an incoming request. This allows an attacker to encode their URL to bypass the url_regex check, and gain access to the blocked resource. Ubuntu_linux, Debian_linux, Squid 9.8
2018-11-09 CVE-2018-19132 Squid before 4.4, when SNMP is enabled, allows a denial of service (Memory Leak) via an SNMP packet. Debian_linux, Squid 5.9
2016-05-10 CVE-2016-4556 Double free vulnerability in Esi.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via a crafted Edge Side Includes (ESI) response. Ubuntu_linux, Linux, Squid 7.5
2016-05-10 CVE-2016-4555 client_side_request.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via crafted Edge Side Includes (ESI) responses. Ubuntu_linux, Linux, Squid 7.5