CVE-2021-28662
published 2021-05-27CVE-2021-28662: An issue was discovered in Squid 4.x before 4.15 and 5.x before 5.0.6. If a remote server sends a certain response header over HTTP or HTTPS, there is a denial…
PriorityP347medium6.5CVSS 3.1
AVNACLPRNUIRSUCNINAH
EPSS
71.87%
99.3th percentile
An issue was discovered in Squid 4.x before 4.15 and 5.x before 5.0.6. If a remote server sends a certain response header over HTTP or HTTPS, there is a denial of service. This header can plausibly occur in benign network traffic.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | squid | < squid 4.13-10 (bookworm) | squid 4.13-10 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| squid-cache | squid | >= 4.0.1 < 4.15 | 4.15 |
| squid-cache | squid | >= 5.0 < 5.0.6 | 5.0.6 |
| squid | squid | >= 0 < 4.13-10 | 4.13-10 |
| squid | squid | >= 0 < 4.13-10 | 4.13-10 |
| squid | squid | >= 0 < 4.13-10 | 4.13-10 |
| squid | squid | >= 0 < 4.13-10 | 4.13-10 |
| squid | squid | >= 0 < 4.10-1ubuntu1.4 | 4.10-1ubuntu1.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Denial of service triggered by a specific HTTP/HTTPS response header sent by a remote server through Squid proxy; monitor for Squid process crashes or hangs when proxying responses from upstream servers ↗
- →Vulnerable Squid versions are 4.x before 4.15 and 5.x before 5.0.6; detection should focus on identifying unpatched Squid instances in these version ranges ↗
- →The malicious header can appear in benign-looking traffic, making it difficult to distinguish attack traffic from normal traffic; focus detection on Squid availability/crash monitoring rather than traffic filtering ↗
- →The vulnerability is an input validation flaw in HTTP response message processing; monitor Squid logs for anomalous response header parsing errors or unexpected process termination ↗
- ·Red Hat Enterprise Linux 6 and 7 ship versions of Squid that are NOT affected, as the vulnerable code was introduced in a later version ↗
- ·Red Hat Enterprise Linux 9 squid package is also listed as Not affected ↗
- ·No mitigation is available from Red Hat; patching to Squid 4.15+ or 5.0.6+ is the primary remediation path ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Squid vulnerabilities
vendor_ubuntu·2021-06-03·CVSS 7.5
CVE-2021-28651 [HIGH] Squid vulnerabilities
Title: Squid vulnerabilities
Summary: Several security issues were fixed in Squid.
Joshua Rogers discovered that Squid incorrectly handled requests with the
urn: scheme. A remote attacker could possibly use this issue to cause
Squid to consume resources, leading to a denial of service.
(CVE-2021-28651)
Joshua Rogers discovered that Squid incorrectly handled requests to the
Cache Manager API. A remote attacker with access privileges could possibly
use this issue to cause Squid to consume resources, leading to a denial of
service. This issue was only addressed in Ubuntu 20.04 LTS, Ubuntu 20.10,
and Ubuntu 21.04. (CVE-2021-28652)
Joshua Rogers discovered that Squid incorrectly handled certain response
headers. A remote attacker could possibly use this issue to cause Squid to
crash, result
Red Hat
squid: denial of service in HTTP response processing
vendor_redhat·2021-05-10·CVSS 6.5
CVE-2021-28662 [MEDIUM] CWE-20 squid: denial of service in HTTP response processing
squid: denial of service in HTTP response processing
An issue was discovered in Squid 4.x before 4.15 and 5.x before 5.0.6. If a remote server sends a certain response header over HTTP or HTTPS, there is a denial of service. This header can plausibly occur in benign network traffic.
An input validation flaw was found in Squid. This issue could allow a remote server to perform a denial of service against all clients using the proxy when delivering HTTP response messages. The highest threat from this vulnerability is to system availability.
Statement: The versions of `squid` as shipped with Red Hat Enterprise Linux 6 and 7 are not affected by this flaw, as the vulnerable code was introduced in a later version of the package.
Mitigation: Mitigation for this issue is either not available o
Debian
CVE-2021-28662: squid - An issue was discovered in Squid 4.x before 4.15 and 5.x before 5.0.6. If a remo...
vendor_debian·2021·CVSS 6.5
CVE-2021-28662 [MEDIUM] CVE-2021-28662: squid - An issue was discovered in Squid 4.x before 4.15 and 5.x before 5.0.6. If a remo...
An issue was discovered in Squid 4.x before 4.15 and 5.x before 5.0.6. If a remote server sends a certain response header over HTTP or HTTPS, there is a denial of service. This header can plausibly occur in benign network traffic.
Scope: local
bookworm: resolved (fixed in 4.13-10)
bullseye: resolved (fixed in 4.13-10)
forky: resolved (fixed in 4.13-10)
sid: resolved (fixed in 4.13-10)
trixie: resolved (fixed in 4.13-10)
OSV
squid, squid3 vulnerabilities
osv·2021-06-03·CVSS 7.5
CVE-2021-28651 [HIGH] squid, squid3 vulnerabilities
squid, squid3 vulnerabilities
Joshua Rogers discovered that Squid incorrectly handled requests with the
urn: scheme. A remote attacker could possibly use this issue to cause
Squid to consume resources, leading to a denial of service.
(CVE-2021-28651)
Joshua Rogers discovered that Squid incorrectly handled requests to the
Cache Manager API. A remote attacker with access privileges could possibly
use this issue to cause Squid to consume resources, leading to a denial of
service. This issue was only addressed in Ubuntu 20.04 LTS, Ubuntu 20.10,
and Ubuntu 21.04. (CVE-2021-28652)
Joshua Rogers discovered that Squid incorrectly handled certain response
headers. A remote attacker could possibly use this issue to cause Squid to
crash, resulting in a denial of service. This issue was only affect
OSV
CVE-2021-28662: An issue was discovered in Squid 4
osv·2021-05-27·CVSS 6.5
CVE-2021-28662 [MEDIUM] CVE-2021-28662: An issue was discovered in Squid 4
An issue was discovered in Squid 4.x before 4.15 and 5.x before 5.0.6. If a remote server sends a certain response header over HTTP or HTTPS, there is a denial of service. This header can plausibly occur in benign network traffic.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2023/Oct/14http://www.openwall.com/lists/oss-security/2023/10/11/3http://www.squid-cache.org/Versions/v6/changesets/squid-6-051824924c709bd6162a378f746fb859454c674e.patchhttps://github.com/squid-cache/squid/commit/051824924c709bd6162a378f746fb859454c674ehttps://github.com/squid-cache/squid/security/advisories/GHSA-jjq6-mh2h-g39hhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/https://www.debian.org/security/2021/dsa-4924http://seclists.org/fulldisclosure/2023/Oct/14http://www.openwall.com/lists/oss-security/2023/10/11/3http://www.squid-cache.org/Versions/v6/changesets/squid-6-051824924c709bd6162a378f746fb859454c674e.patchhttps://github.com/squid-cache/squid/commit/051824924c709bd6162a378f746fb859454c674ehttps://github.com/squid-cache/squid/security/advisories/GHSA-jjq6-mh2h-g39hhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/https://www.debian.org/security/2021/dsa-4924
2021-05-27
Published