CVE-2016-2390 — Improper Input Validation in Squid

CWE-20 — Improper Input Validation8 documents7 sources

Severity

5.9MEDIUMNVD

EPSS

21.3%

top 4.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Squid Squid-cache Squid

Timeline

PublishedApr 19

Latest updateMay 17

Description

The FwdState::connectedToPeer method in FwdState.cc in Squid before 3.5.14 and 4.0.x before 4.0.6 does not properly handle SSL handshake errors when built with the --with-openssl option, which allows remote attackers to cause a denial of service (application crash) via a plaintext HTTP message.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶Debiansquid/squid< 4.1-1+3

▶NVDsquid-cache/squid3.5.13+2

🔴Vulnerability Details

GHSA

GHSA-qg6v-rjmq-c5vh: The FwdState::connectedToPeer method in FwdState↗2022-05-17

▶

CVEList

CVE-2016-2390: The FwdState::connectedToPeer method in FwdState↗2016-04-19

▶

OSV

CVE-2016-2390: The FwdState::connectedToPeer method in FwdState↗2016-04-19

▶

📋Vendor Advisories

Red Hat

squid: incorrect server error handling resulting in denial of service↗2016-02-16

▶

Debian

CVE-2016-2390: squid - The FwdState::connectedToPeer method in FwdState.cc in Squid before 3.5.14 and 4...↗2016

▶

💬Community

Bugzilla

CVE-2016-2390 squid: incorrect server error handling resulting in denial of service [fedora-all]↗2016-02-16

▶

Bugzilla

CVE-2016-2390 squid: incorrect server error handling resulting in denial of service↗2016-02-16

▶