cbcvebase.
CVE-2020-8450
published 2020-02-04

CVE-2020-8450: An issue was discovered in Squid before 4.10. Due to incorrect buffer management, a remote client can cause a buffer overflow in a Squid instance acting as a…

PriorityP263high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EPSS
71.79%
99.3th percentile
An issue was discovered in Squid before 4.10. Due to incorrect buffer management, a remote client can cause a buffer overflow in a Squid instance acting as a reverse proxy.

Affected

14 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiansquid< squid 4.10-1 (bookworm)squid 4.10-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
opensuseleap
squid-cachesquid< 4.104.10
squidsquid>= 0 < 4.10-14.10-1
squidsquid>= 0 < 4.10-14.10-1
squidsquid>= 0 < 4.10-14.10-1
squidsquid>= 0 < 4.10-14.10-1

Detection & IOCsextracted from sources · hover to see the quote

  • Target Squid instances configured as reverse proxy (http_port 'accel' or 'vhost' in squid 2.x/3.x, or http_port 'accel' in squid 4.x) — these are the only configurations exploitable by a remote client triggering the buffer overflow.
  • Exploitation results in Squid crash (denial of service) or possibly arbitrary code execution; monitor for unexpected squid process termination on reverse-proxy deployments.
  • On RHEL 6–8, FORTIFY_SOURCE limits impact to application termination rather than code execution; alert on squid process crashes as a lower-severity but still detectable signal.
  • ·Vulnerability only affects Squid instances acting as a reverse proxy; standard forward-proxy deployments are not affected.
  • ·Squid versions before 4.10 are vulnerable; fixed in 4.10. Patch references available from the Squid advisory and changeset URLs.
  • ·Red Hat Enterprise Linux 5 squid packages are not affected; RHEL 6 packages will not be fixed (FORTIFY_SOURCE mitigates to crash-only impact).

CVSS provenance

nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian7.3HIGH
vendor_redhat7.3HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.