PT-2021-7239 · Squid+10 · Squid+11

Joshua Rogers

·

Published

2021-02-20

·

Updated

2024-06-27

·

CVE-2021-46784

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Squid versions 3.x through 3.5.28 Squid versions 4.x through 4.17 Squid versions 5.x before 5.6
Description The issue is related to improper buffer management when processing long Gopher server responses, which can lead to a Denial of Service. This can be exploited by a remote attacker sending a specially crafted response to the proxy server, causing it to crash. The vulnerability is also associated with the reachability of the assert() function or similar operators when handling Gopher server responses.
Recommendations For Squid versions 3.x through 3.5.28, update to a version later than 3.5.28 to resolve the issue. For Squid versions 4.x through 4.17, update to a version later than 4.17 to resolve the issue. For Squid versions 5.x before 5.6, update to version 5.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the Gopher protocol to minimize the risk of exploitation.

Fix

DoS

Assertion Failure

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-617

Related Identifiers

ALSA-2022:5526
ALSA-2022:5527
ALT-PU-2022-2631
ALT-PU-2023-5843
ALT-PU-2023-6467
ALT-PU-2024-9370
BDU:2022-04051
CESA-2022_5526
CESA-2022_5542
CVE-2021-46784
DSA-5171-1
GHSA-F5CP-6RH3-284W
MGASA-2022-0249
OESA-2022-1732
OPENSUSE-SU-2022_2359-1
OPENSUSE-SU-2022_2553-1
OPENSUSE-SU-2024:12157-1
RHSA-2022:5526
RHSA-2022:5527
RHSA-2022:5528
RHSA-2022:5529
RHSA-2022:5530
RHSA-2022:5542
RHSA-2022_5526
RHSA-2022_5527
RHSA-2022_5542
RLSA-2022:5526
ROSA-SA-2023-2273
SUSE-SU-2022:2359-1
SUSE-SU-2022:2367-1
SUSE-SU-2022:2392-1
SUSE-SU-2022:2553-1
SUSE-SU-2022_2359-1
USN-5491-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Red Os
Rocky Linux
Squid
Squid Cache
Suse
Ubuntu