Squidex
by Squidex
Source repositories
CVEs (155)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2005-0174 | 0.04 | — | 0.51 | Feb 7, 2005 | Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison the cache or conduct certain attacks via headers that do not follow the HTTP specification, including (1) multiple Content-Length headers, (2) carriage return (CR) characters that are not part of a CRLF pair, and (3)… | |||
| CVE-2004-0189 | 0.04 | — | 0.14 | Mar 15, 2004 | The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") character, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists. | |||
| CVE-2002-0163 | 0.04 | — | 0.15 | Mar 26, 2002 | Heap-based buffer overflow in Squid before 2.4 STABLE4, and Squid 2.5 and 2.6 until March 12, 2002 distributions, allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via compressed DNS responses. | |||
| CVE-2002-0068 | 0.04 | — | 0.09 | Mar 8, 2002 | Squid 2.4 STABLE3 and earlier allows remote attackers to cause a denial of service (core dump) and possibly execute arbitrary code with an ftp:// URL with a larger number of special characters, which exceed the buffer when Squid URL-escapes the characters. | |||
| CVE-1999-0710 | 0.04 | — | 0.12 | Jul 25, 1999 | The Squid package in Red Hat Linux 5.2 and 6.0, and other distributions, installs cachemgr.cgi in a public web directory, which allows remote attackers to use it as an intermediary to connect to other systems. | |||
| CVE-2023-46847 | 0.03 | — | 0.86 | Nov 3, 2023 | Squid is vulnerable to a Denial of Service, where a remote attacker can perform buffer overflow attack by writing up to 2 MB of arbitrary data to heap memory when Squid is configured to accept HTTP Digest Authentication. | |||
| CVE-2019-12526 | 0.03 | — | 0.20 | Nov 26, 2019 | An issue was discovered in Squid before 4.9. URN response handling in Squid suffers from a heap-based buffer overflow. When receiving data from a remote server in response to an URN request, Squid fails to ensure that the response can fit within the buffer. This leads to… | |||
| CVE-2019-12854 | 0.03 | — | 0.12 | Aug 15, 2019 | Due to incorrect string termination, Squid cachemgr.cgi 4.0 through 4.7 may access unallocated memory. On systems with memory access protections, this can cause the CGI process to terminate unexpectedly, resulting in a denial of service for all clients using it. | |||
| CVE-2014-0128 | 0.03 | — | 0.33 | Apr 14, 2014 | Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows remote attackers to cause a denial of service (assertion failure) via a crafted range request, related to state management. | |||
| CVE-2013-4115 | 0.03 | — | 0.43 | Aug 9, 2013 | Buffer overflow in the idnsALookup function in dns_internal.cc in Squid 3.2 through 3.2.11 and 3.3 through 3.3.6 allows remote attackers to cause a denial of service (memory corruption and server termination) via a long name in a DNS lookup request. | |||
| CVE-2011-4096 | 0.03 | — | 0.38 | Nov 17, 2011 | The idnsGrokReply function in Squid before 3.1.16 does not properly free memory, which allows remote attackers to cause a denial of service (daemon abort) via a DNS reply containing a CNAME record that references another CNAME record that contains an empty A record. | |||
| CVE-2010-2951 | 0.03 | — | 0.31 | Oct 12, 2010 | dns_internal.cc in Squid 3.1.6, when IPv6 DNS resolution is not enabled, accesses an invalid socket during an IPv4 TCP DNS query, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via vectors that trigger an IPv4 DNS response with the… | |||
| CVE-2009-2855 | 0.03 | — | 0.37 | Aug 18, 2009 | The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function. | |||
| CVE-2005-0446 | 0.03 | — | 0.41 | May 2, 2005 | Squid 2.5.STABLE8 and earlier allows remote attackers to cause a denial of service (crash) via certain DNS responses regarding (1) Fully Qualified Domain Names (FQDN) in fqdncache.c or (2) IP addresses in ipcache.c, which trigger an assertion failure. | |||
| CVE-2005-0175 | 0.03 | — | 0.41 | Feb 7, 2005 | Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison the cache via an HTTP response splitting attack. | |||
| CVE-1999-1481 | 0.03 | — | 0.04 | Dec 31, 1999 | Squid 2.2.STABLE5 and below, when using external authentication, allows attackers to bypass access controls via a newline in the user/password pair. | |||
| CVE-2025-54574 | 0.02 | — | 0.23 | Aug 1, 2025 | Squid is a caching proxy for the Web. In versions 6.3 and below, Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer management. This has been fixed in version 6.4. To work around this issue, disable… | |||
| CVE-2020-11945 | 0.02 | — | 0.27 | Apr 23, 2020 | An issue was discovered in Squid before 5.0.2. A remote attacker can replay a sniffed Digest Authentication nonce to gain access to resources that are otherwise forbidden. This occurs because the attacker can overflow the nonce reference counter (a short integer). Remote code… | |||
| CVE-2019-12528 | 0.02 | — | 0.10 | Feb 4, 2020 | An issue was discovered in Squid before 4.10. It allows a crafted FTP server to trigger disclosure of sensitive information from heap memory, such as information associated with other users' sessions or non-Squid processes. | |||
| CVE-2014-7142 | 0.02 | — | 0.25 | Nov 26, 2014 | The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size. |
- CVE-2005-0174Feb 7, 2005risk 0.04cvss —epss 0.51
Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison the cache or conduct certain attacks via headers that do not follow the HTTP specification, including (1) multiple Content-Length headers, (2) carriage return (CR) characters that are not part of a CRLF pair, and (3)…
- CVE-2004-0189Mar 15, 2004risk 0.04cvss —epss 0.14
The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") character, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists.
- CVE-2002-0163Mar 26, 2002risk 0.04cvss —epss 0.15
Heap-based buffer overflow in Squid before 2.4 STABLE4, and Squid 2.5 and 2.6 until March 12, 2002 distributions, allows remote attackers to cause a denial of service, and possibly execute arbitrary code, via compressed DNS responses.
- CVE-2002-0068Mar 8, 2002risk 0.04cvss —epss 0.09
Squid 2.4 STABLE3 and earlier allows remote attackers to cause a denial of service (core dump) and possibly execute arbitrary code with an ftp:// URL with a larger number of special characters, which exceed the buffer when Squid URL-escapes the characters.
- CVE-1999-0710Jul 25, 1999risk 0.04cvss —epss 0.12
The Squid package in Red Hat Linux 5.2 and 6.0, and other distributions, installs cachemgr.cgi in a public web directory, which allows remote attackers to use it as an intermediary to connect to other systems.
- CVE-2023-46847Nov 3, 2023risk 0.03cvss —epss 0.86
Squid is vulnerable to a Denial of Service, where a remote attacker can perform buffer overflow attack by writing up to 2 MB of arbitrary data to heap memory when Squid is configured to accept HTTP Digest Authentication.
- CVE-2019-12526Nov 26, 2019risk 0.03cvss —epss 0.20
An issue was discovered in Squid before 4.9. URN response handling in Squid suffers from a heap-based buffer overflow. When receiving data from a remote server in response to an URN request, Squid fails to ensure that the response can fit within the buffer. This leads to…
- CVE-2019-12854Aug 15, 2019risk 0.03cvss —epss 0.12
Due to incorrect string termination, Squid cachemgr.cgi 4.0 through 4.7 may access unallocated memory. On systems with memory access protections, this can cause the CGI process to terminate unexpectedly, resulting in a denial of service for all clients using it.
- CVE-2014-0128Apr 14, 2014risk 0.03cvss —epss 0.33
Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows remote attackers to cause a denial of service (assertion failure) via a crafted range request, related to state management.
- CVE-2013-4115Aug 9, 2013risk 0.03cvss —epss 0.43
Buffer overflow in the idnsALookup function in dns_internal.cc in Squid 3.2 through 3.2.11 and 3.3 through 3.3.6 allows remote attackers to cause a denial of service (memory corruption and server termination) via a long name in a DNS lookup request.
- CVE-2011-4096Nov 17, 2011risk 0.03cvss —epss 0.38
The idnsGrokReply function in Squid before 3.1.16 does not properly free memory, which allows remote attackers to cause a denial of service (daemon abort) via a DNS reply containing a CNAME record that references another CNAME record that contains an empty A record.
- CVE-2010-2951Oct 12, 2010risk 0.03cvss —epss 0.31
dns_internal.cc in Squid 3.1.6, when IPv6 DNS resolution is not enabled, accesses an invalid socket during an IPv4 TCP DNS query, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via vectors that trigger an IPv4 DNS response with the…
- CVE-2009-2855Aug 18, 2009risk 0.03cvss —epss 0.37
The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function.
- CVE-2005-0446May 2, 2005risk 0.03cvss —epss 0.41
Squid 2.5.STABLE8 and earlier allows remote attackers to cause a denial of service (crash) via certain DNS responses regarding (1) Fully Qualified Domain Names (FQDN) in fqdncache.c or (2) IP addresses in ipcache.c, which trigger an assertion failure.
- CVE-2005-0175Feb 7, 2005risk 0.03cvss —epss 0.41
Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison the cache via an HTTP response splitting attack.
- CVE-1999-1481Dec 31, 1999risk 0.03cvss —epss 0.04
Squid 2.2.STABLE5 and below, when using external authentication, allows attackers to bypass access controls via a newline in the user/password pair.
- CVE-2025-54574Aug 1, 2025risk 0.02cvss —epss 0.23
Squid is a caching proxy for the Web. In versions 6.3 and below, Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer management. This has been fixed in version 6.4. To work around this issue, disable…
- CVE-2020-11945Apr 23, 2020risk 0.02cvss —epss 0.27
An issue was discovered in Squid before 5.0.2. A remote attacker can replay a sniffed Digest Authentication nonce to gain access to resources that are otherwise forbidden. This occurs because the attacker can overflow the nonce reference counter (a short integer). Remote code…
- CVE-2019-12528Feb 4, 2020risk 0.02cvss —epss 0.10
An issue was discovered in Squid before 4.10. It allows a crafted FTP server to trigger disclosure of sensitive information from heap memory, such as information associated with other users' sessions or non-Squid processes.
- CVE-2014-7142Nov 26, 2014risk 0.02cvss —epss 0.25
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.
Page 3 of 8