Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-28651

Опубликовано: 10 мая 2021
Источник: redhat
CVSS3: 7.4
EPSS Низкий

Описание

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount of memory. However, there is an unspecified attack methodology that can easily trigger a large amount of memory consumption.

An input validation flaw was found in Squid. This issue could allow a malicious server in collaboration with a trusted client to consume arbitrarily large amounts of memory on the server running Squid. The highest threat from this vulnerability is to system availability.

Отчет

This issue has been rated as having a security impact of Moderate. At this stage in their life, Red Hat Enterprise Linux 6 and 7 only accept Important and Critical Security Advisories (RHSAs) and this flaw does not meet these criteria. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata. Red Hat Satellite does not ship the Squid package, however, does consume it from RHEL 7 repository. Product is not affected by this flaw as squid.conf configuration disables all the http_access fragments except the localhost.

Меры по смягчению последствий

If possible, disable URN processing by adding the following lines in squid.conf:

acl URN proto URN http_access deny URN

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6squidOut of support scope
Red Hat Enterprise Linux 6squid34Out of support scope
Red Hat Enterprise Linux 7squidOut of support scope
Red Hat Enterprise Linux 9squidNot affected
Red Hat Enterprise Linux 8squidFixedRHSA-2021:429209.11.2021

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-401->CWE-400
https://bugzilla.redhat.com/show_bug.cgi?id=1962243squid: denial of service in URN processing

EPSS

Процентиль: 88%
0.03713
Низкий

7.4 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2021-28651

CVSS3: 7.5
ubuntu
около 4 лет назад

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount of memory. However, there is an unspecified attack methodology that can easily trigger a large amount of memory consumption.

nvd логотип

CVE-2021-28651

CVSS3: 7.5
nvd
около 4 лет назад

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount of memory. However, there is an unspecified attack methodology that can easily trigger a large amount of memory consumption.

debian логотип

CVE-2021-28651

CVSS3: 7.5
debian
около 4 лет назад

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due ...

fstec логотип

BDU:2021-02732

CVSS3: 7.4
fstec
около 4 лет назад

Уязвимость прокси-сервера Squid, существующая из-за недостаточной проверки ввода при разрешении идентификаторов ресурсов «urn:», позволяющая нарушителю вызвать отказ в обслуживании

suse-cvrf логотип

SUSE-SU-2022:14914-1

suse-cvrf
больше 3 лет назад

Security update for squid3

EPSS

Процентиль: 88%
0.03713
Низкий

7.4 High

CVSS3