CVE-2024-37894

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Out-of-bounds Write error when assigning ESI variables, Squid is susceptible to a Memory Corruption error. This error can lead to a Denial of Service attack.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.3 MEDIUM
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H
GitHub_MCNA
6.3 MEDIUM
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 79%
VendorProductVersion
squid-cachesquid
3.0 ≤
𝑥
< 6.10
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
squid
bullseye
vulnerable
bullseye (security)
4.13-10+deb11u4
fixed
bookworm
5.7-2+deb12u2
fixed
bookworm (security)
5.7-2+deb12u3
fixed
trixie
6.13-2
fixed
forky
7.1-1
fixed
sid
7.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
squid3
noble
dne
mantic
dne
jammy
dne
focal
dne
bionic
Fixed 3.5.27-1ubuntu1.14+esm3
released
xenial
Fixed 3.5.12-1ubuntu7.16+esm4
released
squid
noble
Fixed 6.6-1ubuntu5.1
released
mantic
ignored
jammy
Fixed 5.9-0ubuntu0.22.04.2
released
focal
Fixed 4.10-1ubuntu1.13
released
Common Weakness Enumeration
References
https://github.com/squid-cache/squid/commit/f411fe7d75197852f0e5ee85027a06d58dd8df4c.patch
https://github.com/squid-cache/squid/security/advisories/GHSA-wgvf-q977-9xjg
https://security.netapp.com/advisory/ntap-20240719-0001/
https://github.com/squid-cache/squid/commit/f411fe7d75197852f0e5ee85027a06d58dd8df4c.patch
https://github.com/squid-cache/squid/security/advisories/GHSA-wgvf-q977-9xjg
https://security.netapp.com/advisory/ntap-20240719-0001/