CVE-2016-2570 — Improper Input Validation in Squid

CWE-20 — Improper Input Validation CWE-617 — Reachable Assertion11 documents8 sources

Severity

7.5HIGHNVD

EPSS

5.5%

top 9.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Squid-cache Squid

Timeline

PublishedFeb 27

Latest updateDec 12

Description

The Edge Side Includes (ESI) parser in Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not check buffer limits during XML parsing, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a crafted XML document, related to esi/CustomParser.cc and esi/CustomParser.h.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

▶NVDsquid-cache/squid133 versions+132

🔴Vulnerability Details

OSV

squid3 regression↗2022-12-12

▶

GHSA

GHSA-xwvc-2x67-786x: The Edge Side Includes (ESI) parser in Squid 3↗2022-05-14

▶

OSV

squid3 vulnerabilities↗2018-02-05

▶

OSV

CVE-2016-2570: The Edge Side Includes (ESI) parser in Squid 3↗2016-02-27

▶

CVEList

CVE-2016-2570: The Edge Side Includes (ESI) parser in Squid 3↗2016-02-27

▶

📋Vendor Advisories

Ubuntu

Squid vulnerabilities↗2018-02-05

▶

Red Hat

squid: some code paths fail to check bounds in string object↗2016-02-24

▶

Debian

CVE-2016-2570: squid - The Edge Side Includes (ESI) parser in Squid 3.x before 3.5.15 and 4.x before 4....↗2016

▶

💬Community

Bugzilla

CVE-2016-2569 CVE-2016-2570 CVE-2016-2571 CVE-2016-2572 squid: SQUID-2016_2 advisory, multiple DoS issues[fedora-all]↗2016-02-26

▶

Bugzilla

CVE-2016-2569 CVE-2016-2570 squid: some code paths fail to check bounds in string object↗2016-02-26

▶