cbcvebase.
CVE-2021-28662
published 2021-05-27

CVE-2021-28662: An issue was discovered in Squid 4.x before 4.15 and 5.x before 5.0.6. If a remote server sends a certain response header over HTTP or HTTPS, there is a denial…

PriorityP347medium6.5CVSS 3.1
AVNACLPRNUIRSUCNINAH
EPSS
71.87%
99.3th percentile
An issue was discovered in Squid 4.x before 4.15 and 5.x before 5.0.6. If a remote server sends a certain response header over HTTP or HTTPS, there is a denial of service. This header can plausibly occur in benign network traffic.

Affected

11 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiansquid< squid 4.13-10 (bookworm)squid 4.13-10 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
squid-cachesquid>= 4.0.1 < 4.154.15
squid-cachesquid>= 5.0 < 5.0.65.0.6
squidsquid>= 0 < 4.13-104.13-10
squidsquid>= 0 < 4.13-104.13-10
squidsquid>= 0 < 4.13-104.13-10
squidsquid>= 0 < 4.13-104.13-10
squidsquid>= 0 < 4.10-1ubuntu1.44.10-1ubuntu1.4

Detection & IOCsextracted from sources · hover to see the quote

  • Denial of service triggered by a specific HTTP/HTTPS response header sent by a remote server through Squid proxy; monitor for Squid process crashes or hangs when proxying responses from upstream servers
  • Vulnerable Squid versions are 4.x before 4.15 and 5.x before 5.0.6; detection should focus on identifying unpatched Squid instances in these version ranges
  • The malicious header can appear in benign-looking traffic, making it difficult to distinguish attack traffic from normal traffic; focus detection on Squid availability/crash monitoring rather than traffic filtering
  • The vulnerability is an input validation flaw in HTTP response message processing; monitor Squid logs for anomalous response header parsing errors or unexpected process termination
  • ·Red Hat Enterprise Linux 6 and 7 ship versions of Squid that are NOT affected, as the vulnerable code was introduced in a later version
  • ·Red Hat Enterprise Linux 9 squid package is also listed as Not affected
  • ·No mitigation is available from Red Hat; patching to Squid 4.15+ or 5.0.6+ is the primary remediation path

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.