PT-2024-7480 · Squid+7 · Squid+8

Megamansec

·

Published

2024-10-28

·

Updated

2025-03-17

·

CVE-2024-45802

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions: Squid versions prior to 6.10
Description: The issue is related to errors in processing input data, which can be exploited by a remote attacker to cause a denial of service by sending specially crafted ESI packets. This is due to Input Validation, Premature Release of Resource During Expected Lifetime, and Missing Release of Resource after Effective Lifetime bugs. The vulnerability allows a trusted server to launch Denial of Service attacks against all clients using the proxy.
Recommendations: For versions prior to 6.10, update to Squid version 6.10 or later, which includes the fix for this issue in its default build configuration. As a temporary workaround, consider restricting access to the proxy server to minimize the risk of exploitation.

Exploit

Fix

DoS

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALSA-2024:9625
ALSA-2024:9644
ALSA-2024_9625
ALT-PU-2025-3802
AZL-51819
BDU:2024-08860
CESA-2024_9644
CVE-2024-45802
DLA-4083-1
GHSA-F975-V7QW-Q7HJ
INFSA-2024_9625
INFSA-2024_9644
OESA-2024-2309
OPENSUSE-SU-2024:14566-1
RHSA-2024:9624
RHSA-2024:9625
RHSA-2024:9644
RHSA-2024:9677
RHSA-2024:9678
RHSA-2024:9729
RHSA-2024:9738
RHSA-2024:9813
RHSA-2024:9814
RHSA-2024:9815
RHSA-2024_9625
RHSA-2024_9644
RLSA-2024:9625
RLSA-2024:9644
ROSA-SA-2025-2560
ROSA-SA-2025-2572

Affected Products

Alt Linux
Almalinux
Centos
Debian
Red Hat
Red Os
Rocky Linux
Squid
Squid Cache