Denial Of Service (DoS)

2020-09-2106:31:21

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

JSON

Squid is vulnerable denial of service (DoS). It allows a trusted peer to perform Denial of Service by consuming all available CPU cycles during handling of a crafted Cache Digest response message. This only occurs when cache_peer is used with the cache digests feature. The problem exists because peerDigestHandleReply() livelocking in peer_digest.cc mishandles EOF.

CPENameOperatorVersion
squid:focaleq4.10-1ubuntu1
squid3:xenialeq3.5.12-1ubuntu7
squid3:xenialeq3.5.12-1ubuntu7.13
squid3:xenialeq3.5.12-1ubuntu7.14
squid3:bioniceq3.5.27-1ubuntu1
squid3:bioniceq3.5.27-1ubuntu1.8
squideq3.5.20__15.el7
squideq3.5.20__12.el7_6.1
squideq3.5.20__15.el7_8.1
squid:3.9eq4.10-r0

Name	Operator	Version
squid:focal	eq	4.10-1ubuntu1
squid3:xenial	eq	3.5.12-1ubuntu7
squid3:xenial	eq	3.5.12-1ubuntu7.13
squid3:xenial	eq	3.5.12-1ubuntu7.14
squid3:bionic	eq	3.5.27-1ubuntu1
squid3:bionic	eq	3.5.27-1ubuntu1.8
squid	eq	3.5.20__15.el7
squid	eq	3.5.20__12.el7_6.1
squid	eq	3.5.20__15.el7_8.1
squid:3.9	eq	4.10-r0