CVE-2018-1000024 — Improper Input Validation in Squid

CWE-20 — Improper Input Validation10 documents8 sources

Severity

7.5HIGHNVD

EPSS

9.2%

top 7.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Squid Squid-cache Squid Canonical Ubuntu Linux +1 more

Timeline

PublishedFeb 9

Latest updateMay 13

Description

The Squid Software Foundation Squid HTTP Caching Proxy version 3.0 to 3.5.27, 4.0 to 4.0.22 contains a Incorrect Pointer Handling vulnerability in ESI Response Processing that can result in Denial of Service for all clients using the proxy.. This attack appear to be exploitable via Remote server delivers an HTTP response payload containing valid but unusual ESI syntax.. This vulnerability appears to have been fixed in 4.0.23 and later.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶Debiansquid/squid< 4.1-1+3

▶NVDsquid-cache/squid3.0 — 3.5.27+1

Also affects: Debian Linux 7.0, 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 17.10

Patches

Patch: www.squid-cache.org ↗Patch: www.squid-cache.org ↗

🔴Vulnerability Details

GHSA

GHSA-gh8j-c69q-gf38: The Squid Software Foundation Squid HTTP Caching Proxy version 3↗2022-05-13

▶

OSV

CVE-2018-1000024: The Squid Software Foundation Squid HTTP Caching Proxy version 3↗2018-02-09

▶

CVEList

CVE-2018-1000024: The Squid Software Foundation Squid HTTP Caching Proxy version 3↗2018-02-09

▶

📋Vendor Advisories

Ubuntu

Squid vulnerabilities↗2019-07-17

▶

Ubuntu

Squid vulnerabilities↗2018-02-05

▶

Red Hat

squid: Incorrect pointer handling when processing ESI Responses can lead to denial of service↗2018-01-19

▶

Debian

CVE-2018-1000024: squid - The Squid Software Foundation Squid HTTP Caching Proxy version 3.0 to 3.5.27, 4....↗2018

▶

💬Community

Bugzilla

CVE-2018-1000024 squid: Incorrect pointer handling when processing ESI Responses can lead to denial of service↗2018-01-22

▶

Bugzilla

CVE-2018-1000024 CVE-2018-1000027 squid: various flaws [fedora-all]↗2018-01-22

▶