CVE-2009-2855

EUVD-2009-2845
The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:N/I:N/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
Affected Products (NVD)
VendorProductVersion
squid-cachesquid
2.7
squid-cachesquid
2.7:stable3
squid-cachesquid
2.7:stable4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
squid
bookworm
5.7-2+deb12u2
fixed
bookworm (security)
5.7-2+deb12u2
fixed
bullseye
4.13-10+deb11u3
fixed
bullseye (security)
4.13-10+deb11u3
fixed
sid
6.12-1
fixed
trixie
6.12-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
squid
dapper
not-affected
hardy
not-affected
intrepid
Fixed 2.7.STABLE3-1ubuntu2.2
released
jaunty
Fixed 2.7.STABLE3-4.1ubuntu1.1
released
karmic
Fixed 2.7.STABLE6-2ubuntu2.1
released
lucid
not-affected
maverick
not-affected
natty
not-affected
oneiric
not-affected
squid3
dapper
dne
hardy
ignored
intrepid
ignored
jaunty
Fixed 3.0.STABLE8-3+lenny4build0.9.04.1
released
karmic
ignored
lucid
not-affected
maverick
not-affected
natty
not-affected
oneiric
not-affected
Common Weakness Enumeration
References
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534982
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=31%3Bfilename=diff%3Batt=1%3Bbug=534982
http://www.openwall.com/lists/oss-security/2009/07/20/10
http://www.openwall.com/lists/oss-security/2009/08/03/3
http://www.openwall.com/lists/oss-security/2009/08/04/6
http://www.securityfocus.com/bid/36091
http://www.securitytracker.com/id?1022757
http://www.squid-cache.org/bugs/show_bug.cgi?id=2541
http://www.squid-cache.org/bugs/show_bug.cgi?id=2704
https://bugzilla.redhat.com/show_bug.cgi?id=518182
https://exchange.xforce.ibmcloud.com/vulnerabilities/52610
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10592
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534982
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=31%3Bfilename=diff%3Batt=1%3Bbug=534982
http://www.openwall.com/lists/oss-security/2009/07/20/10
http://www.openwall.com/lists/oss-security/2009/08/03/3
http://www.openwall.com/lists/oss-security/2009/08/04/6
http://www.securityfocus.com/bid/36091
http://www.securitytracker.com/id?1022757
http://www.squid-cache.org/bugs/show_bug.cgi?id=2541
http://www.squid-cache.org/bugs/show_bug.cgi?id=2704
https://bugzilla.redhat.com/show_bug.cgi?id=518182
https://exchange.xforce.ibmcloud.com/vulnerabilities/52610
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10592