CVE-2024-45802

Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to Input Validation, Premature Release of Resource During Expected Lifetime, and Missing Release of Resource after Effective Lifetime bugs, Squid is vulnerable to Denial of Service attacks by a trusted server against all clients using the proxy. This bug is fixed in the default build configuration of Squid version 6.10.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj	Mitigation Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*

History

05 Nov 2024, 16:45

Type	Values Removed	Values Added
References	~~() https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj -~~	() https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj - Mitigation, Third Party Advisory
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:a:squid-cache:squid::::::::
First Time		Squid-cache Squid-cache squid

29 Oct 2024, 14:34

Type	Values Removed	Values Added
Summary		(es) Squid es un proxy de almacenamiento en caché de código abierto para la Web compatible con HTTP, HTTPS, FTP y más. Debido a errores de validación de entrada, liberación prematura de recursos durante el tiempo de vida útil esperado y falta de liberación de recursos después del tiempo de vida útil efectivo, Squid es vulnerable a ataques de denegación de servicio por parte de un servidor confiable contra todos los clientes que utilicen el proxy. Este error se corrigió en la configuración de compilación predeterminada de la versión 6.10 de Squid.

28 Oct 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-28 15:15

Updated : 2024-11-05 16:45

NVD link : CVE-2024-45802

Mitre link : CVE-2024-45802

CVE.ORG link : CVE-2024-45802

JSON object : View

Products Affected

squid-cache

squid

CWE

NVD-CWE-noinfo CWE-20

Improper Input Validation

{"id": "CVE-2024-45802", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-10-28T15:15:04.857", "references": [{"url": "https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj", "tags": ["Mitigation", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to Input Validation, Premature Release of Resource During Expected Lifetime, and Missing Release of Resource after Effective Lifetime bugs, Squid is vulnerable to Denial of Service attacks by a trusted server against all clients using the proxy. This bug is fixed in the default build configuration of Squid version 6.10."}, {"lang": "es", "value": "Squid es un proxy de almacenamiento en cach\u00e9 de c\u00f3digo abierto para la Web compatible con HTTP, HTTPS, FTP y m\u00e1s. Debido a errores de validaci\u00f3n de entrada, liberaci\u00f3n prematura de recursos durante el tiempo de vida \u00fatil esperado y falta de liberaci\u00f3n de recursos despu\u00e9s del tiempo de vida \u00fatil efectivo, Squid es vulnerable a ataques de denegaci\u00f3n de servicio por parte de un servidor confiable contra todos los clientes que utilicen el proxy. Este error se corrigi\u00f3 en la configuraci\u00f3n de compilaci\u00f3n predeterminada de la versi\u00f3n 6.10 de Squid."}], "lastModified": "2024-11-05T16:45:52.027", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "269E064C-AAF8-4A48-BBAB-76A37C1A0684", "versionEndExcluding": "6.10", "versionStartIncluding": "3.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}