CVE-2018-1000027

The Squid Software Foundation Squid HTTP Caching Proxy version prior to version 4.0.23 contains a NULL Pointer Dereference vulnerability in HTTP Response X-Forwarded-For header processing that can result in Denial of Service to all clients of the proxy. This attack appear to be exploitable via Remote HTTP server responding with an X-Forwarded-For header to certain types of HTTP request. This vulnerability appears to have been fixed in 4.0.23 and later.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 96%
VendorProductVersion
squid-cachesquid
𝑥
< 4.0.23
debiandebian_linux
7.0
debiandebian_linux
8.0
debiandebian_linux
9.0
canonicalubuntu_linux
14.04
canonicalubuntu_linux
16.04
canonicalubuntu_linux
17.10
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
squid
bullseye (security)
4.13-10+deb11u3
fixed
bullseye
4.13-10+deb11u3
fixed
bookworm
5.7-2+deb12u2
fixed
bookworm (security)
5.7-2+deb12u2
fixed
sid
6.12-1
fixed
trixie
6.12-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
squid3
disco
dne
cosmic
dne
bionic
Fixed 3.5.23-5ubuntu2
released
artful
Fixed 3.5.23-5ubuntu1.1
released
xenial
Fixed 3.5.12-1ubuntu7.5
released
trusty
Fixed 3.3.8-1ubuntu6.11
released
Common Weakness Enumeration
References
http://www.squid-cache.org/Advisories/SQUID-2018_2.txt
http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2018_2.patch
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2018_2.patch
https://github.com/squid-cache/squid/pull/129/files
https://lists.debian.org/debian-lts-announce/2018/02/msg00001.html
https://lists.debian.org/debian-lts-announce/2018/02/msg00002.html
https://usn.ubuntu.com/3557-1/
https://usn.ubuntu.com/4059-2/
https://www.debian.org/security/2018/dsa-4122
http://www.squid-cache.org/Advisories/SQUID-2018_2.txt
http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2018_2.patch
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2018_2.patch
https://github.com/squid-cache/squid/pull/129/files
https://lists.debian.org/debian-lts-announce/2018/02/msg00001.html
https://lists.debian.org/debian-lts-announce/2018/02/msg00002.html
https://usn.ubuntu.com/3557-1/
https://usn.ubuntu.com/4059-2/
https://www.debian.org/security/2018/dsa-4122