CVE-2024-37894
published 2024-06-25CVE-2024-37894: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Out-of-bounds Write error when assigning ESI variables, Squid is…
PriorityP337medium6.3CVSS 3.1
AVNACHPRLUINSCCNINAH
EPSS
6.25%
92.7th percentile
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Out-of-bounds Write error when assigning ESI variables, Squid is susceptible to a Memory Corruption error. This error can lead to a Denial of Service attack.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | squid | < squid 5.7-2+deb12u2 (bookworm) | squid 5.7-2+deb12u2 (bookworm) |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | — | — |
| squid-cache | squid | >= 3.0 < 6.10 | 6.10 |
| squid | squid | >= 0 < 4.13-10+deb11u4 | 4.13-10+deb11u4 |
| squid | squid | >= 0 < 5.7-2+deb12u2 | 5.7-2+deb12u2 |
| squid | squid | >= 0 < 6.10-1 | 6.10-1 |
| squid | squid | >= 0 < 6.10-1 | 6.10-1 |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H
osv6.3MEDIUM
vendor_debian6.3MEDIUM
vendor_redhat6.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Squid vulnerability
vendor_ubuntu·2024-07-23
CVE-2024-37894 Squid vulnerability
Title: Squid vulnerability
Summary: Squid could be made to crash if it processed specially crafted characters.
Joshua Rogers discovered that Squid did not properly handle multi-byte
characters during Edge Side Includes (ESI) processing. A remote attacker
could possibly use this issue to cause a memory corruption error, leading
to a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
squid: Out-of-bounds write error may lead to Denial of Service
vendor_redhat·2024-06-25·CVSS 6.3
CVE-2024-37894 [MEDIUM] CWE-787 squid: Out-of-bounds write error may lead to Denial of Service
squid: Out-of-bounds write error may lead to Denial of Service
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Out-of-bounds Write error when assigning ESI variables, Squid is susceptible to a Memory Corruption error. This error can lead to a Denial of Service attack.
A flaw was found in Squid. An out-of-bounds write can be triggered when an Edge Side Includes (ESI) variable is assigned to a value not in the standard ASCII range, for example, multi-byte characters. This flaw allows a trusted server to crash Squid while processing an ESI response content, resulting in a denial of service.
Statement: Squid as shipped in Red Hat Enterprise Linux 8 and 9 is vulnerable to this vulnerability as the ESI support is enabled by default.
This flaw requires Squ
Debian
CVE-2024-37894: squid - Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due ...
vendor_debian·2024·CVSS 6.3
CVE-2024-37894 [MEDIUM] CVE-2024-37894: squid - Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due ...
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Out-of-bounds Write error when assigning ESI variables, Squid is susceptible to a Memory Corruption error. This error can lead to a Denial of Service attack.
Scope: local
bookworm: resolved (fixed in 5.7-2+deb12u2)
bullseye: resolved (fixed in 4.13-10+deb11u4)
forky: resolved (fixed in 6.10-1)
sid: resolved (fixed in 6.10-1)
trixie: resolved (fixed in 6.10-1)
OSV
CVE-2024-37894: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more
osv·2024-06-25·CVSS 6.3
CVE-2024-37894 [MEDIUM] CVE-2024-37894: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Out-of-bounds Write error when assigning ESI variables, Squid is susceptible to a Memory Corruption error. This error can lead to a Denial of Service attack.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/squid-cache/squid/commit/f411fe7d75197852f0e5ee85027a06d58dd8df4c.patchhttps://github.com/squid-cache/squid/security/advisories/GHSA-wgvf-q977-9xjghttps://security.netapp.com/advisory/ntap-20240719-0001/https://github.com/squid-cache/squid/commit/f411fe7d75197852f0e5ee85027a06d58dd8df4c.patchhttps://github.com/squid-cache/squid/security/advisories/GHSA-wgvf-q977-9xjghttps://lists.debian.org/debian-lts-announce/2025/03/msg00009.htmlhttps://security.netapp.com/advisory/ntap-20240719-0001/
2024-06-25
Published