PT-2016-1431 · Squid+5 · Squid+6

William Lima

Publicado

2014-04-24

Atualizado

2018-03-16

CVE-2016-2570

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Squid versions 3.x through 3.5.14 Squid versions 4.x through 4.0.6

Description The issue is related to the Edge Side Includes (ESI) parser in Squid, which does not properly check buffer limits during XML parsing. This allows remote HTTP servers to cause a denial of service, resulting in an assertion failure and daemon exit, by sending a crafted XML document. The problem is associated with the files esi/CustomParser.cc and esi/CustomParser.h.

Recommendations For Squid versions 3.x through 3.5.14, update to version 3.5.15 or later. For Squid versions 4.x through 4.0.6, update to version 4.0.7 or later.

Exploit

Correção

DoS

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20

Identificadores relacionados

ALT-PU-2014-1531

ALT-PU-2015-1383

BDU:2016-00732

CESA-2016_2600

CVE-2016-2570

MGASA-2016-0095

RHSA-2016:2600

RHSA-2016_2600

SUSE-SU-2016:2008-1

SUSE-SU-2016:2089-1

USN-3557-1

Produtos afetados

Alt Linux

Centos

Red Hat

Squid

Squid Cache

Suse

Ubuntu

PT-2016-1431 · Squid+5 · Squid+6

CVE-2016-2570

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 124