Squidex
by Squidex
Source repositories
CVEs (155)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-14059 | 0.00 | — | 0.04 | Jun 30, 2020 | An issue was discovered in Squid 5.x before 5.0.3. Due to an Incorrect Synchronization, a Denial of Service can occur when processing objects in an SMP cache because of an Ipc::Mem::PageStack::pop ABA problem during access to the memory page/slot management list. | |||
| CVE-2019-12520 | 0.00 | — | 0.04 | Apr 15, 2020 | An issue was discovered in Squid through 4.7 and 5. When receiving a request, Squid checks its cache to see if it can serve up a response. It does this by making a MD5 hash of the absolute URL of the request. If found, it servers the request. The absolute URL can include the… | |||
| CVE-2019-12522 | 0.00 | — | 0.00 | Apr 15, 2020 | An issue was discovered in Squid through 4.7. When Squid is run as root, it spawns its child processes as a lesser user, by default the user nobody. This is done via the leave_suid call. leave_suid leaves the Saved UID as 0. This makes it trivial for an attacker who has… | |||
| CVE-2019-12521 | 0.00 | — | 0.06 | Apr 15, 2020 | An issue was discovered in Squid through 4.7. When Squid is parsing ESI, it keeps the ESI elements in ESIContext. ESIContext contains a buffer for holding a stack of ESIElements. When a new ESIElement is parsed, it is added via addStackElement. addStackElement has a check for… | |||
| CVE-2019-12524 | 0.00 | — | 0.04 | Apr 15, 2020 | An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the… | |||
| CVE-2019-18860 | 0.00 | — | 0.06 | Mar 20, 2020 | Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi. | |||
| CVE-2020-8517 | 0.00 | — | 0.07 | Feb 4, 2020 | An issue was discovered in Squid before 4.10. Due to incorrect input validation, the NTLM authentication credentials parser in ext_lm_group_acl may write to memory outside the credentials buffer. On systems with memory access protections, this can result in the helper process… | |||
| CVE-2020-8449 | 0.00 | — | 0.08 | Feb 4, 2020 | An issue was discovered in Squid before 4.10. Due to incorrect input validation, it can interpret crafted HTTP requests in unexpected ways to access server resources prohibited by earlier security filters. | |||
| CVE-2019-12523 | 0.00 | — | 0.04 | Nov 26, 2019 | An issue was discovered in Squid before 4.9. When handling a URN request, a corresponding HTTP request is made. This HTTP request doesn't go through the access checks that incoming HTTP requests go through. This causes all access checks to be bypassed and allows access to… | |||
| CVE-2019-18676 | 0.00 | — | 0.09 | Nov 26, 2019 | An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incorrect input validation, there is a heap-based buffer overflow that can result in Denial of Service to all clients using the proxy. Severity is high due to this vulnerability occurring before normal security… | |||
| CVE-2019-18677 | 0.00 | — | 0.07 | Nov 26, 2019 | An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins… | |||
| CVE-2019-18678 | 0.00 | — | 0.11 | Nov 26, 2019 | An issue was discovered in Squid 3.x and 4.x through 4.8. It allows attackers to smuggle HTTP requests through frontend software to a Squid instance that splits the HTTP Request pipeline differently. The resulting Response messages corrupt caches (between a client and Squid)… | |||
| CVE-2019-18679 | 0.00 | — | 0.41 | Nov 26, 2019 | An issue was discovered in Squid 2.x, 3.x, and 4.x through 4.8. Due to incorrect data management, it is vulnerable to information disclosure when processing HTTP Digest Authentication. Nonce tokens contain the raw byte value of a pointer that sits within heap memory allocation.… | |||
| CVE-2018-19131 | 0.00 | — | 0.03 | Nov 9, 2018 | Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S) error page generation for certificate errors. | |||
| CVE-2018-19132 | 0.00 | — | 0.06 | Nov 9, 2018 | Squid before 4.4, when SNMP is enabled, allows a denial of service (Memory Leak) via an SNMP packet. | |||
| CVE-2015-0881 | 0.00 | — | 0.05 | Feb 20, 2015 | CRLF injection vulnerability in Squid before 3.1.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted header in a response. | |||
| CVE-2009-0801 | 0.00 | — | 0.03 | Mar 4, 2009 | Squid, when transparent interception mode is enabled, uses the HTTP Host header to determine the remote endpoint, which allows remote attackers to bypass access controls for Flash, Java, Silverlight, and probably other technologies, and possibly communicate with restricted… | |||
| CVE-2008-1612 | 0.00 | — | 0.02 | Apr 1, 2008 | The arrayShrink function (lib/Array.c) in Squid 2.6.STABLE17 allows attackers to cause a denial of service (process exit) via unknown vectors that cause an array to shrink to 0 entries, which triggers an assert error. NOTE: this issue is due to an incorrect fix for… | |||
| CVE-2005-3258 | 0.00 | — | 0.02 | Oct 20, 2005 | The rfc1738_do_escape function in ftp.c for Squid 2.5 STABLE11 and earlier allows remote FTP servers to cause a denial of service (segmentation fault) via certain "odd" responses. | |||
| CVE-2005-2917 | 0.00 | — | 0.03 | Sep 30, 2005 | Squid 2.5.STABLE10 and earlier, while performing NTLM authentication, does not properly handle certain request sequences, which allows attackers to cause a denial of service (daemon restart). |
- CVE-2020-14059Jun 30, 2020risk 0.00cvss —epss 0.04
An issue was discovered in Squid 5.x before 5.0.3. Due to an Incorrect Synchronization, a Denial of Service can occur when processing objects in an SMP cache because of an Ipc::Mem::PageStack::pop ABA problem during access to the memory page/slot management list.
- CVE-2019-12520Apr 15, 2020risk 0.00cvss —epss 0.04
An issue was discovered in Squid through 4.7 and 5. When receiving a request, Squid checks its cache to see if it can serve up a response. It does this by making a MD5 hash of the absolute URL of the request. If found, it servers the request. The absolute URL can include the…
- CVE-2019-12522Apr 15, 2020risk 0.00cvss —epss 0.00
An issue was discovered in Squid through 4.7. When Squid is run as root, it spawns its child processes as a lesser user, by default the user nobody. This is done via the leave_suid call. leave_suid leaves the Saved UID as 0. This makes it trivial for an attacker who has…
- CVE-2019-12521Apr 15, 2020risk 0.00cvss —epss 0.06
An issue was discovered in Squid through 4.7. When Squid is parsing ESI, it keeps the ESI elements in ESIContext. ESIContext contains a buffer for holding a stack of ESIElements. When a new ESIElement is parsed, it is added via addStackElement. addStackElement has a check for…
- CVE-2019-12524Apr 15, 2020risk 0.00cvss —epss 0.04
An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the…
- CVE-2019-18860Mar 20, 2020risk 0.00cvss —epss 0.06
Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi.
- CVE-2020-8517Feb 4, 2020risk 0.00cvss —epss 0.07
An issue was discovered in Squid before 4.10. Due to incorrect input validation, the NTLM authentication credentials parser in ext_lm_group_acl may write to memory outside the credentials buffer. On systems with memory access protections, this can result in the helper process…
- CVE-2020-8449Feb 4, 2020risk 0.00cvss —epss 0.08
An issue was discovered in Squid before 4.10. Due to incorrect input validation, it can interpret crafted HTTP requests in unexpected ways to access server resources prohibited by earlier security filters.
- CVE-2019-12523Nov 26, 2019risk 0.00cvss —epss 0.04
An issue was discovered in Squid before 4.9. When handling a URN request, a corresponding HTTP request is made. This HTTP request doesn't go through the access checks that incoming HTTP requests go through. This causes all access checks to be bypassed and allows access to…
- CVE-2019-18676Nov 26, 2019risk 0.00cvss —epss 0.09
An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incorrect input validation, there is a heap-based buffer overflow that can result in Denial of Service to all clients using the proxy. Severity is high due to this vulnerability occurring before normal security…
- CVE-2019-18677Nov 26, 2019risk 0.00cvss —epss 0.07
An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins…
- CVE-2019-18678Nov 26, 2019risk 0.00cvss —epss 0.11
An issue was discovered in Squid 3.x and 4.x through 4.8. It allows attackers to smuggle HTTP requests through frontend software to a Squid instance that splits the HTTP Request pipeline differently. The resulting Response messages corrupt caches (between a client and Squid)…
- CVE-2019-18679Nov 26, 2019risk 0.00cvss —epss 0.41
An issue was discovered in Squid 2.x, 3.x, and 4.x through 4.8. Due to incorrect data management, it is vulnerable to information disclosure when processing HTTP Digest Authentication. Nonce tokens contain the raw byte value of a pointer that sits within heap memory allocation.…
- CVE-2018-19131Nov 9, 2018risk 0.00cvss —epss 0.03
Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S) error page generation for certificate errors.
- CVE-2018-19132Nov 9, 2018risk 0.00cvss —epss 0.06
Squid before 4.4, when SNMP is enabled, allows a denial of service (Memory Leak) via an SNMP packet.
- CVE-2015-0881Feb 20, 2015risk 0.00cvss —epss 0.05
CRLF injection vulnerability in Squid before 3.1.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted header in a response.
- CVE-2009-0801Mar 4, 2009risk 0.00cvss —epss 0.03
Squid, when transparent interception mode is enabled, uses the HTTP Host header to determine the remote endpoint, which allows remote attackers to bypass access controls for Flash, Java, Silverlight, and probably other technologies, and possibly communicate with restricted…
- CVE-2008-1612Apr 1, 2008risk 0.00cvss —epss 0.02
The arrayShrink function (lib/Array.c) in Squid 2.6.STABLE17 allows attackers to cause a denial of service (process exit) via unknown vectors that cause an array to shrink to 0 entries, which triggers an assert error. NOTE: this issue is due to an incorrect fix for…
- CVE-2005-3258Oct 20, 2005risk 0.00cvss —epss 0.02
The rfc1738_do_escape function in ftp.c for Squid 2.5 STABLE11 and earlier allows remote FTP servers to cause a denial of service (segmentation fault) via certain "odd" responses.
- CVE-2005-2917Sep 30, 2005risk 0.00cvss —epss 0.03
Squid 2.5.STABLE10 and earlier, while performing NTLM authentication, does not properly handle certain request sequences, which allows attackers to cause a denial of service (daemon restart).
Page 7 of 8