CVE-2020-14058 — Use of Potentially Dangerous Function in Squid

CWE-676 — Use of Potentially Dangerous Function7 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 32.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Squid Squid-cache Squid Fedoraproject Fedora

Timeline

PublishedJun 30

Description

An issue was discovered in Squid before 4.12 and 5.x before 5.0.3. Due to use of a potentially dangerous function, Squid and the default certificate validation helper are vulnerable to a Denial of Service when opening a TLS connection to an attacker-controlled server for HTTPS. This occurs because unrecognized error values are mapped to NULL, but later code expects that each error value is mapped to a valid error string.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDsquid-cache/squid4.0 — 4.12+2

▶Debiansquid/squid< 4.12-1+3

Also affects: Fedora 31

Patches

Patch: www.squid-cache.org ↗Patch: www.squid-cache.org ↗Patch: www.squid-cache.org ↗

🔴Vulnerability Details

CVEList

CVE-2020-14058: An issue was discovered in Squid before 4↗2020-06-30

▶

OSV

CVE-2020-14058: An issue was discovered in Squid before 4↗2020-06-30

▶

📋Vendor Advisories

Red Hat

squid: DoS in TLS handshake↗2020-06-19

▶

Debian

CVE-2020-14058: squid - An issue was discovered in Squid before 4.12 and 5.x before 5.0.3. Due to use of...↗2020

▶

💬Community

Bugzilla

CVE-2020-14058 squid: DoS in TLS handshake [fedora-all]↗2020-06-30

▶

Bugzilla

CVE-2020-14058 squid: DoS in TLS handshake↗2020-06-30

▶