CVE-2021-28652
Description
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to incorrect parser validation, it allows a Denial of Service attack against the Cache Manager API. This allows a trusted client to trigger memory leaks that. over time, lead to a Denial of Service via an unspecified short query string. This attack is limited to clients with Cache Manager API access privilege.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
25- Squid/Squiddescription
- Range: <=4.14, >=5.0 <5.0.6
- osv-coords23 versionspkg:rpm/almalinux/libecappkg:rpm/almalinux/libecap-develpkg:rpm/almalinux/squidpkg:rpm/opensuse/squid&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/squid&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/squid&distro=openSUSE%20Tumbleweedpkg:rpm/suse/squid&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP2pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP3pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/squid&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/squid&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/squid&distro=SUSE%20Manager%20Server%204.0
< 1.0.1-2.module_el8.6.0+2741+01592ae8+ 22 more
- (no CPE)range: < 1.0.1-2.module_el8.6.0+2741+01592ae8
- (no CPE)range: < 1.0.1-2.module_el8.6.0+2741+01592ae8
- (no CPE)range: < 7:4.15-3.module_el8.6.0+3010+383bc947.1
- (no CPE)range: < 4.15-lp152.2.9.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.16-1.5
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-4.18.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-4.18.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
Patches
Vulnerability mechanics
Root cause
"Incorrect parser validation in Cache Manager URI parsing causes a memory leak when processing a short query string."
Attack vector
A trusted client with Cache Manager API access privilege sends a specially crafted short query string to the Cache Manager endpoint. Due to incorrect parser validation, the request triggers a memory leak in the URI parsing code. Over time, repeated exploitation causes memory exhaustion, leading to a Denial of Service. The attack is limited to clients that already have Cache Manager API access privileges [ref_id=1].
Affected code
The vulnerability is in Squid's Cache Manager URI parsing code. The advisory lists "Memory Leak in CacheManager URI Parsing" as the affected code path [ref_id=1]. No specific function names or file paths are provided in the available references.
What the fix does
No patch or fix details are available in the provided references. The advisory notes that the issue was discovered during an independent audit and that no patches or workarounds have been published by the Squid Project for this vulnerability [ref_id=1]. The recommended remediation would be to upgrade to Squid version 4.15 or 5.0.6, as stated in the CVE description, but the specific code changes are not documented in the supplied bundle.
Preconditions
- authAttacker must be a client with Cache Manager API access privilege
- networkAttacker must be able to send HTTP requests to the Squid proxy's Cache Manager endpoint
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/mitrevendor-advisory
- www.debian.org/security/2021/dsa-4924mitrevendor-advisory
- seclists.org/fulldisclosure/2023/Oct/14mitremailing-list
- www.openwall.com/lists/oss-security/2023/10/11/3mitremailing-list
- lists.debian.org/debian-lts-announce/2021/06/msg00014.htmlmitremailing-list
- bugs.squid-cache.org/show_bug.cgimitre
- github.com/squid-cache/squid/security/advisories/GHSA-m47m-9hvw-7447mitre
News mentions
0No linked articles in our index yet.