CVE-2018-1000024

EUVD-2018-1786
The Squid Software Foundation Squid HTTP Caching Proxy version 3.0 to 3.5.27, 4.0 to 4.0.22 contains a Incorrect Pointer Handling vulnerability in ESI Response Processing that can result in Denial of Service for all clients using the proxy.. This attack appear to be exploitable via Remote server delivers an HTTP response payload containing valid but unusual ESI syntax.. This vulnerability appears to have been fixed in 4.0.23 and later.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 93%
Affected Products (NVD)
VendorProductVersion
squid-cachesquid
3.0 ≤
𝑥
≤ 3.5.27
squid-cachesquid
4.0 ≤
𝑥
≤ 4.0.22
debiandebian_linux
7.0
debiandebian_linux
8.0
debiandebian_linux
9.0
canonicalubuntu_linux
14.04
canonicalubuntu_linux
16.04
canonicalubuntu_linux
17.10
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
squid
bookworm
5.7-2+deb12u2
fixed
bookworm (security)
5.7-2+deb12u2
fixed
bullseye
4.13-10+deb11u3
fixed
bullseye (security)
4.13-10+deb11u3
fixed
sid
6.12-1
fixed
trixie
6.12-1
fixed
wheezy
not-affected
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
squid3
artful
Fixed 3.5.23-5ubuntu1.1
released
bionic
Fixed 3.5.23-5ubuntu2
released
cosmic
dne
disco
dne
trusty
Fixed 3.3.8-1ubuntu6.11
released
xenial
Fixed 3.5.12-1ubuntu7.5
released
References
http://www.squid-cache.org/Advisories/SQUID-2018_1.txt
http://www.squid-cache.org/Versions/
https://lists.debian.org/debian-lts-announce/2018/02/msg00001.html
https://usn.ubuntu.com/3557-1/
https://usn.ubuntu.com/4059-2/
https://www.debian.org/security/2018/dsa-4122
http://www.squid-cache.org/Advisories/SQUID-2018_1.txt
http://www.squid-cache.org/Versions/
https://lists.debian.org/debian-lts-announce/2018/02/msg00001.html
https://usn.ubuntu.com/3557-1/
https://usn.ubuntu.com/4059-2/
https://www.debian.org/security/2018/dsa-4122