CVE-2021-28651
published 2021-05-27CVE-2021-28651: An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it allows a denial of service. When resolving a request with…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
7.45%
93.7th percentile
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount of memory. However, there is an unspecified attack methodology that can easily trigger a large amount of memory consumption.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | squid | < squid 4.13-10 (bookworm) | squid 4.13-10 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| squid-cache | squid | >= 2.0 < 4.15 | 4.15 |
| squid-cache | squid | >= 5.0 < 5.0.6 | 5.0.6 |
| squid | squid | >= 0 < 4.13-10 | 4.13-10 |
| squid | squid | >= 0 < 4.13-10 | 4.13-10 |
| squid | squid | >= 0 < 4.13-10 | 4.13-10 |
| squid | squid | >= 0 < 4.13-10 | 4.13-10 |
| squid | squid | >= 0 < 4.10-1ubuntu1.4 | 4.10-1ubuntu1.4 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
squid3 vulnerabilities
osv·2024-06-27·CVSS 7.5
CVE-2021-28651 [HIGH] squid3 vulnerabilities
squid3 vulnerabilities
Joshua Rogers discovered that Squid incorrectly handled requests with the
urn: scheme. A remote attacker could possibly use this issue to cause
Squid to consume resources, leading to a denial of service. This issue
only affected Ubuntu 16.04 LTS. (CVE-2021-28651)
It was discovered that Squid incorrectly handled SSPI and SMB
authentication. A remote attacker could use this issue to cause Squid to
crash, resulting in a denial of service, or possibly obtain sensitive
information. This issue only affected Ubuntu 16.04 LTS. (CVE-2022-41318)
Joshua Rogers discovered that Squid incorrectly handled HTTP message
processing. A remote attacker could possibly use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2023-49285)
Joshua Rogers discovered t
OSV
squid, squid3 vulnerabilities
osv·2021-06-03·CVSS 7.5
CVE-2021-28651 [HIGH] squid, squid3 vulnerabilities
squid, squid3 vulnerabilities
Joshua Rogers discovered that Squid incorrectly handled requests with the
urn: scheme. A remote attacker could possibly use this issue to cause
Squid to consume resources, leading to a denial of service.
(CVE-2021-28651)
Joshua Rogers discovered that Squid incorrectly handled requests to the
Cache Manager API. A remote attacker with access privileges could possibly
use this issue to cause Squid to consume resources, leading to a denial of
service. This issue was only addressed in Ubuntu 20.04 LTS, Ubuntu 20.10,
and Ubuntu 21.04. (CVE-2021-28652)
Joshua Rogers discovered that Squid incorrectly handled certain response
headers. A remote attacker could possibly use this issue to cause Squid to
crash, resulting in a denial of service. This issue was only affect
OSV
CVE-2021-28651: An issue was discovered in Squid before 4
osv·2021-05-27·CVSS 7.5
CVE-2021-28651 [HIGH] CVE-2021-28651: An issue was discovered in Squid before 4
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount of memory. However, there is an unspecified attack methodology that can easily trigger a large amount of memory consumption.
Ubuntu
Squid vulnerabilities
vendor_ubuntu·2024-06-27·CVSS 7.5
CVE-2023-49286 [HIGH] Squid vulnerabilities
Title: Squid vulnerabilities
Summary: Several security issues were fixed in Squid.
Joshua Rogers discovered that Squid incorrectly handled requests with the
urn: scheme. A remote attacker could possibly use this issue to cause
Squid to consume resources, leading to a denial of service. This issue
only affected Ubuntu 16.04 LTS. (CVE-2021-28651)
It was discovered that Squid incorrectly handled SSPI and SMB
authentication. A remote attacker could use this issue to cause Squid to
crash, resulting in a denial of service, or possibly obtain sensitive
information. This issue only affected Ubuntu 16.04 LTS. (CVE-2022-41318)
Joshua Rogers discovered that Squid incorrectly handled HTTP message
processing. A remote attacker could possibly use this issue to cause
Squid to crash, resulting in a de
Ubuntu
Squid vulnerabilities
vendor_ubuntu·2021-06-03·CVSS 7.5
CVE-2021-28651 [HIGH] Squid vulnerabilities
Title: Squid vulnerabilities
Summary: Several security issues were fixed in Squid.
Joshua Rogers discovered that Squid incorrectly handled requests with the
urn: scheme. A remote attacker could possibly use this issue to cause
Squid to consume resources, leading to a denial of service.
(CVE-2021-28651)
Joshua Rogers discovered that Squid incorrectly handled requests to the
Cache Manager API. A remote attacker with access privileges could possibly
use this issue to cause Squid to consume resources, leading to a denial of
service. This issue was only addressed in Ubuntu 20.04 LTS, Ubuntu 20.10,
and Ubuntu 21.04. (CVE-2021-28652)
Joshua Rogers discovered that Squid incorrectly handled certain response
headers. A remote attacker could possibly use this issue to cause Squid to
crash, result
Red Hat
squid: denial of service in URN processing
vendor_redhat·2021-05-10·CVSS 7.5
CVE-2021-28651 [HIGH] CWE-401 squid: denial of service in URN processing
squid: denial of service in URN processing
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount of memory. However, there is an unspecified attack methodology that can easily trigger a large amount of memory consumption.
An input validation flaw was found in Squid. This issue could allow a malicious server in collaboration with a trusted client to consume arbitrarily large amounts of memory on the server running Squid. The highest threat from this vulnerability is to system availability.
Statement: This issue has been rated as having a security impact of Moderate. At this stage in their life, Red Hat Enterprise Linux 6 and 7 only acc
Debian
CVE-2021-28651: squid - An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buff...
vendor_debian·2021·CVSS 7.5
CVE-2021-28651 [HIGH] CVE-2021-28651: squid - An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buff...
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount of memory. However, there is an unspecified attack methodology that can easily trigger a large amount of memory consumption.
Scope: local
bookworm: resolved (fixed in 4.13-10)
bullseye: resolved (fixed in 4.13-10)
forky: resolved (fixed in 4.13-10)
sid: resolved (fixed in 4.13-10)
trixie: resolved (fixed in 4.13-10)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2023/Oct/14http://www.openwall.com/lists/oss-security/2023/10/11/3https://bugs.squid-cache.org/show_bug.cgi?id=5104https://github.com/squid-cache/squid/security/advisories/GHSA-ch36-9jhx-phm4https://lists.debian.org/debian-lts-announce/2021/06/msg00014.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/https://security.netapp.com/advisory/ntap-20210716-0007/https://www.debian.org/security/2021/dsa-4924http://seclists.org/fulldisclosure/2023/Oct/14http://www.openwall.com/lists/oss-security/2023/10/11/3https://bugs.squid-cache.org/show_bug.cgi?id=5104https://github.com/squid-cache/squid/security/advisories/GHSA-ch36-9jhx-phm4https://lists.debian.org/debian-lts-announce/2021/06/msg00014.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/https://security.netapp.com/advisory/ntap-20210716-0007/https://www.debian.org/security/2021/dsa-4924
2021-05-27
Published