CVE-2002-0916 — Use of Externally-Controlled Format String in Squid

4 documents4 sources

Severity

7.5HIGHNVD

EPSS

2.7%

top 14.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Squid Debian Squid Stellar-x Software Msntauth

Timeline

PublishedOct 4

Latest updateApr 30

Description

Format string vulnerability in the allowuser code for the Stellar-X msntauth authentication module, as distributed in Squid 2.4.STABLE6 and earlier, allows remote attackers to execute arbitrary code via format strings in the user name, which are not properly handled in a syslog call.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶NVDstellar-x_software/msntauth2.0.3

▶debiandebian/squid< squid 2.4.7 (bookworm)

▶Debiansquid/squid< 2.4.7+3

🔴Vulnerability Details

GHSA

GHSA-5m3q-wwrg-m59p: Format string vulnerability in the allowuser code for the Stellar-X msntauth authentication module, as distributed in Squid 2↗2022-04-30

▶

OSV

CVE-2002-0916: Format string vulnerability in the allowuser code for the Stellar-X msntauth authentication module, as distributed in Squid 2↗2002-10-04

▶

📋Vendor Advisories

Debian

CVE-2002-0916: squid - Format string vulnerability in the allowuser code for the Stellar-X msntauth aut...↗2002

▶