Lucene search

K
ubuntucveUbuntu.comUB:CVE-2021-28652
HistoryMay 27, 2021 - 12:00 a.m.

CVE-2021-28652

2021-05-2700:00:00
ubuntu.com
ubuntu.com
29
squid
denial of service
cache manager api
memory leaks
trusted clients
access control

CVSS2

4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

EPSS

0.004

Percentile

72.9%

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to
incorrect parser validation, it allows a Denial of Service attack against
the Cache Manager API. This allows a trusted client to trigger memory leaks
that. over time, lead to a Denial of Service via an unspecified short query
string. This attack is limited to clients with Cache Manager API access
privilege.

Bugs

Notes

Author Note
mdeslaur this issue only affects the Cache Manager, which is usually restricted to trusted clients only. The patch is intrusive to backport to 3.x versions, so we will not be fixing this issue in older releases. We recommend setting appropriate access control to limit connections from trusted clients.
OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchsquid< 4.10-1ubuntu1.4UNKNOWN
ubuntu20.10noarchsquid< 4.13-1ubuntu2.2UNKNOWN
ubuntu21.04noarchsquid< 4.13-1ubuntu4.1UNKNOWN
ubuntu21.10noarchsquid< 4.13-10ubuntu1UNKNOWN
ubuntu22.04noarchsquid< 4.13-10ubuntu1UNKNOWN
ubuntu18.04noarchsquid3< 3.5.27-1ubuntu1.11UNKNOWN

CVSS2

4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

EPSS

0.004

Percentile

72.9%