Jeriko One

Name of the Vulnerable Software and Affected Versions: Squid versions through 4.7 Description: The issue is related to the ESIExpression::Evaluate function in the Squid proxy server, which is associated with a buffer data boundary overflow. This could allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. The problem arises when handling the `esi:when` tag with ESI enabled, as the `ESIExpression::Evaluate` function uses a fixed stack buffer without checking for potential overflows when adding new members to the stack. Recommendations: For Squid versions through 4.7, consider disabling the ESI feature to prevent exploitation until a patch is available. As a temporary workaround, restrict access to the `ESIExpression::Evaluate` function to minimize the risk of exploitation. Avoid using the `esi:when` tag in configurations where ESI is enabled until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Squid versions prior to 4.10 **Description** The issue is related to a buffer overflow in memory, which can be exploited by a remote attacker to gain access to sensitive information by sending specially crafted requests. It allows a crafted FTP server to trigger disclosure of sensitive information from heap memory, such as information associated with other users' sessions or non-Squid processes. **Recommendations** For Squid versions prior to 4.10, update to version 4.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the FTP server to minimize the risk of exploitation. Avoid using the vulnerable Squid proxy server until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Squid versions 3.x through 4.8 **Description** An issue was discovered due to incorrect input validation, resulting in a heap-based buffer overflow that can cause Denial of Service to all clients using the proxy. The severity is high because this issue occurs before normal security checks, allowing any remote client that can reach the proxy port to perform the attack via a crafted URI scheme. **Recommendations** For Squid versions 3.x through 4.8, update to a version later than 4.8 to resolve the issue. As a temporary workaround, consider restricting access to the proxy port to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Squid versions prior to 4.9 **Description** The issue is related to a heap-based buffer overflow in the URN response handling mechanism of Squid. This is due to insufficient size checking of copied data. Exploitation of this issue can allow a remote attacker to access confidential data, compromise data integrity, and cause a denial of service. **Recommendations** For versions prior to 4.9, update to version 4.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the URN response handling mechanism until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Squid versions prior to 4.9 **Description** The issue exists due to insufficient input validation in the Squid proxy server, allowing a remote attacker to access restricted HTTP servers using a specially crafted HTTP request. When handling a URN request, a corresponding HTTP request is made without going through the access checks that incoming HTTP requests go through, causing all access checks to be bypassed. This allows access to restricted HTTP servers, such as those that only listen on localhost. **Recommendations** For Squid versions prior to 4.9, update to version 4.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the URN request handling functionality until a patch is available.

Name of the Vulnerable Software and Affected Versions: Squid versions through 4.7 Description: An issue was discovered in Squid when parsing ESI. The ESIContext contains a buffer for holding a stack of ESIElements. When a new ESIElement is parsed, it is added via the `addStackElement` function. However, `addStackElement` has a check for the number of elements in this buffer that is off by 1, leading to a Heap Overflow of 1 element. The overflow is within the same structure, so it cannot affect adjacent memory blocks, and thus just leads to a crash while processing. This can be exploited by a remote attacker to cause a denial of service. Recommendations: For Squid versions through 4.7, update to a version that fixes this issue to prevent a potential crash while processing ESI elements. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Squid versions 4.7 and earlier Squid version 5 **Description** The issue exists due to insufficient input validation in the Squid proxy server. An attacker can exploit this to gain access to features that only reverse proxies can use, such as ESI. When receiving a request, Squid checks its cache by making an MD5 hash of the absolute URL of the request. The absolute URL can include the decoded UserInfo (username and password) for certain protocols. This allows an attacker to provide a username with special characters to delimit the domain and treat the rest of the URL as a path or query string. An attacker could first make a request to their domain using an encoded username, then when a request for the target domain comes in that decodes to the exact URL, it will serve the attacker's HTML instead of the real HTML. **Recommendations** For Squid versions 4.7 and earlier, consider updating to a version that includes the fix for this issue. For Squid version 5, consider updating to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the cache and limiting the use of decoded UserInfo in the absolute URL. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Squid versions through 4.7 **Description** An issue was discovered in Squid when handling requests from users. Squid checks its rules to see if the request should be denied, and by default, it comes with rules to block access to the Cache Manager, which serves detailed server information meant for the maintainer. This rule is implemented via `url regex`. The handler for `url regex` rules URL decodes an incoming request, allowing an attacker to encode their URL to bypass the `url regex` check and gain access to the blocked resource. The vulnerability is related to the lack of an authentication mechanism for `url regex`. **Recommendations** For Squid versions through 4.7, consider disabling the `url regex` handler until a patch is available to prevent attackers from bypassing the `url regex` check. Restrict access to the Cache Manager to minimize the risk of exploitation. Avoid using the `url regex` rule to block access to sensitive resources until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZNC versions prior to 1.7.4-rc1 **Description** The issue is related to insufficient privilege control in the LoadModule, GetModInfo, and GetModPathInfo functions from src/Modules.cpp, which are part of the mechanism for disconnecting clients from an IRC server or a selected ZNC channel. This can be exploited by a remote attacker to elevate privileges and execute arbitrary code by loading a module with a specially crafted user name. **Recommendations** For versions prior to 1.7.4-rc1, update to version 1.7.4-rc1 or later to resolve the issue. As a temporary workaround, consider restricting access to the LoadModule function to prevent non-admin users from loading modules until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Mutt versions prior to 1.10.1 NeoMutt versions prior to 2018-07-16 **Description** The issue is related to the `pop.c` code in Mutt and NeoMutt email clients, where it fails to restrict "unsafe" characters, such as the `/` character, in message-cache pathnames. This can be exploited by a remote attacker to gain unauthorized access to information through a Path Traversal attack. **Recommendations** For Mutt versions prior to 1.10.1, update to version 1.10.1 or later to resolve the issue. For NeoMutt versions prior to 2018-07-16, update to a version released after 2018-07-16 to resolve the issue. As a temporary workaround, consider restricting access to the `pop.c` code until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ZNC versions prior to 1.7.1-rc1 **Description** The issue allows for a path traversal flaw via ../ in a web skin name, enabling access to files outside of the intended skins directories. **Recommendations** For versions prior to 1.7.1-rc1, update to version 1.7.1-rc1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ZNC versions prior to 1.7.1-rc1 **Description** The issue allows a non-admin user to escalate privileges and inject rogue values into znc.conf due to improper validation of untrusted lines coming from the network. **Recommendations** For versions prior to 1.7.1-rc1, update to version 1.7.1-rc1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mutt versions prior to 1.10.1 NeoMutt versions prior to 2018-07-16 **Description** The issue is related to a stack-based buffer overflow in the imap/message.c file of the Mutt and NeoMutt email clients. This overflow occurs when handling a FETCH response with a long RFC822.SIZE field. The exploitation of this issue may allow a remote attacker to execute arbitrary code. **Recommendations** For Mutt versions prior to 1.10.1, update to version 1.10.1 or later to resolve the issue. For NeoMutt versions prior to 2018-07-16, update to a version released after 2018-07-16 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mutt versions prior to 1.10.1 NeoMutt versions prior to 2018-07-16 **Description** The issue is related to a stack-based buffer overflow in the imap/message.c file for a FETCH response with a long INTERNALDATE field. This can be exploited by a remote attacker to cause a denial of service. **Recommendations** For Mutt versions prior to 1.10.1, update to version 1.10.1 or later. For NeoMutt versions prior to 2018-07-16, update to a version released after 2018-07-16.

**Name of the Vulnerable Software and Affected Versions** Mutt versions prior to 1.10.1 NeoMutt versions prior to 2018-07-16 **Description** The issue is related to errors in handling the size of IMAP status mailbox literal counts in the imap/command.c file of Mutt and NeoMutt email clients. Exploitation of this issue may allow a remote attacker to execute arbitrary code. **Recommendations** For Mutt versions prior to 1.10.1, update to version 1.10.1 or later. For NeoMutt versions prior to 2018-07-16, update to a version released after 2018-07-16.

**Name of the Vulnerable Software and Affected Versions** Mutt versions prior to 1.10.1 NeoMutt versions prior to 2018-07-16 **Description** An issue was discovered in the imap quote string function of the imap/util.c file in Mutt and NeoMutt email clients. The issue is related to an integer underflow. Exploitation of this issue may allow a remote attacker to execute arbitrary code. **Recommendations** For Mutt versions prior to 1.10.1, update to version 1.10.1 or later to resolve the issue. For NeoMutt versions prior to 2018-07-16, update to a version released after 2018-07-16 to resolve the issue. As a temporary workaround, consider restricting access to the imap quote string function in the imap/util.c file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mutt versions prior to 1.10.1 NeoMutt versions prior to 2018-07-16 **Description** The issue allows remote IMAP servers to execute arbitrary commands via backquote characters, related to the mailboxes command associated with a manual subscription or unsubscription. This is due to a lack of data sanitization at the management level, which can be exploited by a remote attacker to execute arbitrary commands. **Recommendations** For Mutt versions prior to 1.10.1, update to version 1.10.1 or later to resolve the issue. For NeoMutt versions prior to 2018-07-16, update to a version released after 2018-07-16 to resolve the issue. As a temporary workaround, consider restricting access to the mailboxes command associated with manual subscription or unsubscription to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mutt versions prior to 1.10.1 NeoMutt versions prior to 2018-07-16 **Description** The issue allows remote IMAP servers to execute arbitrary commands via backquote characters, related to the mailboxes command associated with an automatic subscription. This is due to a lack of proper data sanitization at the management level, which can be exploited by a remote attacker to execute arbitrary commands. **Recommendations** For Mutt versions prior to 1.10.1, update to version 1.10.1 or later to resolve the issue. For NeoMutt versions prior to 2018-07-16, update to a version released after 2018-07-16 to resolve the issue. As a temporary workaround, consider restricting access to the mailboxes command associated with automatic subscription until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mutt versions prior to 1.10.1 NeoMutt versions prior to 2018-07-16 **Description** A buffer overflow issue was discovered, which can be triggered via base64 data. This issue may allow a remote attacker to execute arbitrary code. The vulnerability is related to a buffer overflow, which can be exploited by a remote attacker. **Recommendations** For Mutt versions prior to 1.10.1, update to version 1.10.1 or later to resolve the issue. For NeoMutt versions prior to 2018-07-16, update to a version released after 2018-07-16 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** GraphicsMagick version 1.3.26 **Description** The issue is related to the DrawImage function in magick/render.c, which does not properly handle push and pop keywords, allowing remote attackers to cause a denial of service or possibly have other unspecified impacts via a crafted file. This can lead to a negative strncpy and application crash. The vulnerability exists due to insufficient input validation, potentially affecting the confidentiality, integrity, and availability of protected information. **Recommendations** For GraphicsMagick version 1.3.26, consider disabling the DrawImage function in magick/render.c as a temporary workaround until a patch is available. Restrict the use of crafted files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.