Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2009-0478

CWE-20 — Improper Input Validation8 documents8 sources

Severity

5.0MEDIUM

EPSS

77.1%

top 1.03%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Squid Squid

Timeline

PublishedFeb 8

Latest updateMay 2

Description

Squid 2.7 to 2.7.STABLE5, 3.0 to 3.0.STABLE12, and 3.1 to 3.1.0.4 allows remote attackers to cause a denial of service via an HTTP request with an invalid version number, which triggers a reachable assertion in (1) HttpMsg.c and (2) HttpStatusLine.c.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶Debiansquid< 2.7.STABLE3-4.1+3

▶NVDsquid/squid22 versions+21

Patches

Patch: www.securityfocus.com ↗Patch: www.securityfocus.com ↗

🔴Vulnerability Details

GHSA

GHSA-cfw6-qxff-576v: Squid 2↗2022-05-02

▶

OSV

CVE-2009-0478: Squid 2↗2009-02-08

▶

CVEList

CVE-2009-0478: Squid 2↗2009-02-08

▶

💥Exploits & PoCs

Exploit-DB

Squid < 3.1 5 - HTTP Version Number Parsing Denial of Service↗2009-02-09

▶

📋Vendor Advisories

Ubuntu

Squid vulnerability↗2009-02-25

▶

Red Hat

Squid denial of service flaw↗2009-02-02

▶

Debian

CVE-2009-0478: squid - Squid 2.7 to 2.7.STABLE5, 3.0 to 3.0.STABLE12, and 3.1 to 3.1.0.4 allows remote ...↗2009

▶