Squid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, a…
Squid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. This problem allows a remote client to perform Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives.
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
https://cwe.mitre.org/data/definitions/674.html →Open in CWE collection →Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
https://capec.mitre.org/data/definitions/230.html →Open in CAPEC collection →An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.
https://capec.mitre.org/data/definitions/231.html →Open in CAPEC collection →| Product | Vendor | Status |
|---|---|---|
| squid | Tracked | |
| squid | Tracked | |
| squid | Tracked | |
| squid | Tracked | |
| squid | Tracked | |
| squid | Tracked | |
| squid | Tracked | |
| squid | Tracked | |
| squid | Tracked | |
| squid | Tracked | |
| squid | Tracked | |
| squid | Tracked | |
| squid | Tracked | |
| squid | Tracked | |
| squid | Tracked | |
| squid | Tracked | |
| squid | Tracked | |
| squid | Tracked | |
| squid | Tracked | |
| squid | Tracked |