CVE-2021-28662
Description
An issue was discovered in Squid 4.x before 4.15 and 5.x before 5.0.6. If a remote server sends a certain response header over HTTP or HTTPS, there is a denial of service. This header can plausibly occur in benign network traffic.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
25- Squid/Squiddescription
- osv-coords23 versionspkg:rpm/almalinux/libecappkg:rpm/almalinux/libecap-develpkg:rpm/almalinux/squidpkg:rpm/opensuse/squid&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/squid&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/squid&distro=openSUSE%20Tumbleweedpkg:rpm/suse/squid&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP2pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP3pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/squid&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/squid&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/squid&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/squid&distro=SUSE%20Manager%20Server%204.0
< 1.0.1-2.module_el8.6.0+2741+01592ae8+ 22 more
- (no CPE)range: < 1.0.1-2.module_el8.6.0+2741+01592ae8
- (no CPE)range: < 1.0.1-2.module_el8.6.0+2741+01592ae8
- (no CPE)range: < 7:4.15-3.module_el8.6.0+3010+383bc947.1
- (no CPE)range: < 4.15-lp152.2.9.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.16-1.5
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-4.18.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-4.18.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
- (no CPE)range: < 4.15-5.26.1
Patches
Vulnerability mechanics
Root cause
"Missing input validation on a Vary response header causes an assertion crash in Squid's HTTP response handling."
Attack vector
A remote attacker sends a crafted HTTP response containing a certain header (the "Vary" header is implicated by the advisory's description) to a Squid proxy. When Squid processes this response, the malformed header triggers an assertion failure, causing the proxy process to crash. The attack can be carried out over HTTP or HTTPS, and the advisory notes that such a header "can plausibly occur in benign network traffic," meaning the crash may be triggered without intentionally malicious payloads [ref_id=1].
Affected code
The advisory lists "Vary: Other HTTP Response Assertion Crash CVE-2021-28662" among the discovered issues [ref_id=1]. No specific source files or function names are provided in the reference write-up.
What the fix does
The advisory states that the issue was fixed in Squid 4.15 and 5.0.6 [ref_id=1]. No patch diff is included in the bundle, so the specific code changes are not available. The fix likely adds proper validation of the Vary response header to prevent the assertion failure.
Preconditions
- configThe Squid proxy must be running a vulnerable version (4.x before 4.15 or 5.x before 5.0.6).
- networkThe attacker must be able to cause the Squid proxy to receive a crafted HTTP response with a certain Vary header.
- authNo authentication is required; the attack can be triggered by benign-looking network traffic.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/mitrevendor-advisory
- www.debian.org/security/2021/dsa-4924mitrevendor-advisory
- seclists.org/fulldisclosure/2023/Oct/14mitremailing-list
- www.openwall.com/lists/oss-security/2023/10/11/3mitremailing-list
- www.squid-cache.org/Versions/v6/changesets/squid-6-051824924c709bd6162a378f746fb859454c674e.patchmitre
- github.com/squid-cache/squid/commit/051824924c709bd6162a378f746fb859454c674emitre
- github.com/squid-cache/squid/security/advisories/GHSA-jjq6-mh2h-g39hmitre
News mentions
0No linked articles in our index yet.