CVE-2007-6239 — Improper Input Validation in Squid

CWE-20 — Improper Input Validation14 documents7 sources

Severity

5.0MEDIUMNVD

NVD4.3

EPSS

9.0%

top 7.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Squid Debian Squid Squid WEB Proxy Cache

Timeline

PublishedDec 4

Latest updateMay 1

Description

The "cache update reply processing" functionality in Squid 2.x before 2.6.STABLE17 and Squid 3.0 allows remote attackers to cause a denial of service (crash) via unknown vectors related to HTTP headers and an Array memory leak during requests for cached objects.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages4 packages

▶NVDsquid/squid_web_proxy_cache38 versions+37

▶debiandebian/squid< squid 2.6.17-1 (bookworm)+1

▶Debiansquid/squid< 2.6.17-1+7

▶NVDsquid/squid2.6.stable17

Patches

Patch: secunia.com ↗Patch: www.debian.org ↗Patch: www.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-qcwf-4hxx-vx9v: The arrayShrink function (lib/Array↗2022-05-01

▶

GHSA

GHSA-6pw6-cgf2-h2v8: The "cache update reply processing" functionality in Squid 2↗2022-05-01

▶

OSV

CVE-2008-1612: The arrayShrink function (lib/Array↗2008-04-01

▶

OSV

CVE-2007-6239: The "cache update reply processing" functionality in Squid 2↗2007-12-04

▶

📋Vendor Advisories

Ubuntu

Squid vulnerability↗2008-04-14

▶

Red Hat

squid: regression in SQUID-2007:2 / CVE-2007-6239↗2008-03-22

▶

Ubuntu

Squid vulnerability↗2008-01-09

▶

Debian

CVE-2008-1612: squid - The arrayShrink function (lib/Array.c) in Squid 2.6.STABLE17 allows attackers to...↗2008

▶

Red Hat

squid: DoS in cache updates↗2007-12-04

▶

💬Community

Bugzilla

CVE-2008-1612 squid: regression in SQUID-2007:2 / CVE-2007-6239↗2008-03-31

▶

Bugzilla

CVE-2007-6239 squid: DoS in cache updates↗2007-12-04

▶