5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.965 High
EPSS
Percentile
99.6%
The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows
remote attackers to cause a denial of service via a crafted auth header
with certain comma delimiters that trigger an infinite loop of calls to the
strcspn function.
Author | Note |
---|---|
mdeslaur | reproducer in RH bug reproducer doesn’t work on 2.5 and 2.6, as code is different. don’t seem to be vulnerable. |
micahg | http://packages.debian.org/changelogs/pool/main/s/squid3/current/changelog#version3.0.STABLE19-1 shows this CVE fixed, so marking as not-affected for lucid |