CVE-2016-2569 — Improper Input Validation in Squid

CWE-20 — Improper Input Validation CWE-617 — Reachable Assertion12 documents8 sources

Severity

7.5HIGHNVD

EPSS

70.3%

top 1.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Squid-cache Squid

Timeline

PublishedFeb 27

Latest updateDec 12

Description

Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not properly append data to String objects, which allows remote servers to cause a denial of service (assertion failure and daemon exit) via a long string, as demonstrated by a crafted HTTP Vary header.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

▶NVDsquid-cache/squid133 versions+132

🔴Vulnerability Details

OSV

squid3 regression↗2022-12-12

▶

GHSA

GHSA-6gm6-3v5f-xfhg: Squid 3↗2022-05-14

▶

OSV

squid3 vulnerabilities↗2018-02-05

▶

CVEList

CVE-2016-2569: Squid 3↗2016-02-27

▶

OSV

CVE-2016-2569: Squid 3↗2016-02-27

▶

📋Vendor Advisories

Ubuntu

Squid vulnerabilities↗2018-02-05

▶

Red Hat

squid: some code paths fail to check bounds in string object↗2016-02-24

▶

Debian

CVE-2016-2569: squid - Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not properly append data to St...↗2016

▶

💬Community

Bugzilla

CVE-2016-3623 libtiff: divide by zero in the rgb2ycybr tool↗2016-04-08

▶

Bugzilla

CVE-2016-2569 CVE-2016-2570 CVE-2016-2571 CVE-2016-2572 squid: SQUID-2016_2 advisory, multiple DoS issues[fedora-all]↗2016-02-26

▶

Bugzilla

CVE-2016-2569 CVE-2016-2570 squid: some code paths fail to check bounds in string object↗2016-02-26

▶