CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
AI Score
Confidence
Low
EPSS
Percentile
83.0%
Squid 2.5, when processing the configuration file, parses empty Access Control Lists (ACLs), including proxy_auth ACLs without defined auth schemes, in a way that effectively removes arguments, which could allow remote attackers to bypass intended ACLs if the administrator ignores the parser warnings.
Vendor | Product | Version | CPE |
---|---|---|---|
squid | squid | 2.0.patch1 | cpe:2.3:a:squid:squid:2.0.patch1:*:*:*:*:*:*:* |
squid | squid | 2.0.patch2 | cpe:2.3:a:squid:squid:2.0.patch2:*:*:*:*:*:*:* |
squid | squid | 2.0.pre1 | cpe:2.3:a:squid:squid:2.0.pre1:*:*:*:*:*:*:* |
squid | squid | 2.0.release | cpe:2.3:a:squid:squid:2.0.release:*:*:*:*:*:*:* |
squid | squid | 2.1.patch1 | cpe:2.3:a:squid:squid:2.1.patch1:*:*:*:*:*:*:* |
squid | squid | 2.1.patch2 | cpe:2.3:a:squid:squid:2.1.patch2:*:*:*:*:*:*:* |
squid | squid | 2.1.pre1 | cpe:2.3:a:squid:squid:2.1.pre1:*:*:*:*:*:*:* |
squid | squid | 2.1.pre3 | cpe:2.3:a:squid:squid:2.1.pre3:*:*:*:*:*:*:* |
squid | squid | 2.1.pre4 | cpe:2.3:a:squid:squid:2.1.pre4:*:*:*:*:*:*:* |
squid | squid | 2.1.release | cpe:2.3:a:squid:squid:2.1.release:*:*:*:*:*:*:* |
distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000923
fedoranews.org/updates/FEDORA--.shtml
marc.info/?l=bugtraq&m=110901183320453&w=2
www.debian.org/security/2005/dsa-667
www.kb.cert.org/vuls/id/260421
www.squid-cache.org/bugs/show_bug.cgi?id=1166
www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls
www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-empty_acls.patch