Alex Rousskov

**Name of the Vulnerable Software and Affected Versions** Squid versions prior to 7.5 **Description** Squid, a caching proxy for the Web, contains a flaw due to improper input validation when handling ICP traffic. This can lead to an out-of-bounds read, potentially exposing sensitive information to a remote attacker. The attack requires the Squid deployment to have ICP support enabled via a non-zero `icp port` configuration. Denying ICP queries using `icp access` rules does not resolve this issue. **Recommendations** Update to version 7.5 or later.

**Name of the Vulnerable Software and Affected Versions** Squid versions prior to 4.12 Squid versions 5.x prior to 5.0.3 **Description** An issue in the http/ContentLengthInterpreter.cc component of Squid allows for a Request Smuggling and Poisoning attack against the HTTP cache. This can be achieved by sending an HTTP request with a Content-Length header containing specific characters, such as "+-" or uncommon shell whitespace character prefixes to the length field-value. The attack can be exploited by a remote attacker to poison the cache content using a specially crafted HTTP(S) request. **Recommendations** For Squid versions prior to 4.12, update to version 4.12 or later to resolve the issue. For Squid versions 5.x prior to 5.0.3, update to version 5.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the http/ContentLengthInterpreter.cc component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Squid versions 4.0 through 4.7 **Description** The issue is related to incorrect string termination in the cachemgr.cgi component of the Squid proxy server, which can lead to accessing unallocated memory. This can cause the CGI process to terminate unexpectedly, resulting in a denial of service for all clients using it. The vulnerability is also described as a buffer overflow in memory, which can be exploited by a remote attacker to cause a denial of service. **Recommendations** For Squid versions 4.0 through 4.7, consider disabling the cachemgr.cgi component as a temporary workaround to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Squid versions 4.0.0 through 4.0.6 **Description** The issue exists due to insufficient input validation in the http.cc proxy server function. It allows a remote attacker to cause a denial of service, resulting in an "Assertion failure" error and termination of the daemon, by sending a malformed response. **Recommendations** For Squid versions 4.0.0 through 4.0.6, update to version 4.0.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Squid versions prior to 3.5.6 **Description** The issue is related to the handling of CONNECT method peer responses when configured with cache peer, allowing remote attackers to bypass intended restrictions and gain access to a backend proxy via a CONNECT request. This is due to insufficient access control to certain functions, which can be exploited by a remote attacker to bypass existing restrictions and gain access to the server by manipulating a CONNECT request. **Recommendations** For Squid versions prior to 3.5.6, update to version 3.5.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the cache peer configuration to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Squid versions 3.x through 3.5.14 Squid versions 4.x through 4.0.6 **Description** The issue allows remote HTTP servers to cause a denial of service through a malformed response, resulting in an assertion failure and daemon exit. This occurs due to insufficient input validation in the http.cc component of the Squid proxy server. **Recommendations** For Squid versions 3.x through 3.5.14, update to version 3.5.15 or later. For Squid versions 4.x through 4.0.6, update to version 4.0.7 or later. As a temporary workaround, consider restricting access to the `http.cc` component until a patch is available.