CVE-2009-2855 — Improper Input Validation in Squid

CWE-20 — Improper Input Validation9 documents8 sources

Severity

5.0MEDIUMNVD

EPSS

60.7%

top 1.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Squid Squid-cache Squid

Timeline

PublishedAug 18

Latest updateMay 2

Description

The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶Debiansquid/squid< 2.7.STABLE7-1+3

▶NVDsquid-cache/squid2.7

🔴Vulnerability Details

GHSA

GHSA-7hrp-6jq3-pm4q: The strListGetItem function in src/HttpHeaderTools↗2022-05-02

▶

CVEList

CVE-2009-2855: The strListGetItem function in src/HttpHeaderTools↗2009-08-18

▶

OSV

CVE-2009-2855: The strListGetItem function in src/HttpHeaderTools↗2009-08-18

▶

📋Vendor Advisories

Ubuntu

Squid vulnerabilities↗2010-02-16

▶

Red Hat

squid: DoS (100% CPU use) while processing certain external ACL helper HTTP headers↗2009-06-28

▶

Debian

CVE-2009-2855: squid - The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote ...↗2009

▶

💬Community

Bugzilla

CVE-2009-2855 squid: DoS (100% CPU use) while processing certain external ACL helper HTTP headers↗2009-08-19

▶

Bugzilla

squid DoS in external auth header parser↗2009-07-06

▶