Unrated severityNVD Advisory· Published Apr 23, 2020· Updated Aug 4, 2024

CVE-2020-11945

Description

An issue was discovered in Squid before 5.0.2. A remote attacker can replay a sniffed Digest Authentication nonce to gain access to resources that are otherwise forbidden. This occurs because the attacker can overflow the nonce reference counter (a short integer). Remote code execution may occur if the pooled token credentials are freed (instead of replayed as valid credentials).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Squid/Squiddescription
Squidex/Squidexllm-fuzzy
Range: <5.0.2
osv-coords26 versions
pkg:rpm/almalinux/libecap pkg:rpm/almalinux/libecap-devel pkg:rpm/opensuse/squid&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/squid&distro=openSUSE%20Tumbleweed pkg:rpm/suse/squid3&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3 pkg:rpm/suse/squid3&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSS pkg:rpm/suse/squid&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/squid&distro=SUSE%20Enterprise%20Storage%205 pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOS pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSS pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP1 pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSS pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCL pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSS pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4 pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSS pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2 pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3 pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4 pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015 pkg:rpm/suse/squid&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/squid&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/squid&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208
< 1.0.1-2.module_el8.6.0+2741+01592ae8+ 25 more
- (no CPE)range: < 1.0.1-2.module_el8.6.0+2741+01592ae8
- (no CPE)range: < 1.0.1-2.module_el8.6.0+2741+01592ae8
- (no CPE)range: < 4.11-lp151.2.15.2
- (no CPE)range: < 4.16-1.5
- (no CPE)range: < 3.1.23-8.16.37.12.1
- (no CPE)range: < 3.1.23-8.16.37.12.1
- (no CPE)range: < 3.5.21-26.23.1
- (no CPE)range: < 3.5.21-26.23.1
- (no CPE)range: < 4.11-5.17.2
- (no CPE)range: < 4.11-5.17.2
- (no CPE)range: < 4.11-5.17.2
- (no CPE)range: < 3.5.21-26.23.1
- (no CPE)range: < 3.5.21-26.23.1
- (no CPE)range: < 3.5.21-26.23.1
- (no CPE)range: < 3.5.21-26.23.1
- (no CPE)range: < 3.5.21-26.23.1
- (no CPE)range: < 4.11-4.9.1
- (no CPE)range: < 4.11-5.17.2
- (no CPE)range: < 3.5.21-26.23.1
- (no CPE)range: < 3.5.21-26.23.1
- (no CPE)range: < 3.5.21-26.23.1
- (no CPE)range: < 4.11-4.9.1
- (no CPE)range: < 4.11-5.17.2
- (no CPE)range: < 3.5.21-26.23.1
- (no CPE)range: < 3.5.21-26.23.1
- (no CPE)range: < 3.5.21-26.23.1

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.htmlmitrevendor-advisoryx_refsource_SUSE
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4FWQRYZJPHAZBLXJ56FPCHJN5X2FP3VA/mitrevendor-advisoryx_refsource_FEDORA
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4MWXEZAJSOGRJSS2JCJK4WBSND4IV46/mitrevendor-advisoryx_refsource_FEDORA
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RV2VZWFJNO3B56IVN56HHKJASG5DYUIX/mitrevendor-advisoryx_refsource_FEDORA
security.gentoo.org/glsa/202005-05mitrevendor-advisoryx_refsource_GENTOO
usn.ubuntu.com/4356-1/mitrevendor-advisoryx_refsource_UBUNTU
www.debian.org/security/2020/dsa-4682mitrevendor-advisoryx_refsource_DEBIAN
master.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patchmitrex_refsource_MISC
www.openwall.com/lists/oss-security/2020/04/23/2mitrex_refsource_CONFIRM
www.squid-cache.org/Versions/v4/changesets/squid-4-eeebf0f37a72a2de08348e85ae34b02c34e9a811.patchmitrex_refsource_MISC
bugzilla.suse.com/show_bug.cgimitrex_refsource_CONFIRM
github.com/squid-cache/squid/commit/eeebf0f37a72a2de08348e85ae34b02c34e9a811mitrex_refsource_MISC
github.com/squid-cache/squid/pull/585mitrex_refsource_MISC
lists.debian.org/debian-lts-announce/2020/07/msg00009.htmlmitremailing-listx_refsource_MLIST
security.netapp.com/advisory/ntap-20210304-0004/mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.022
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000