{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-31807", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T23:10:30.180Z", "dateReserved": "2021-04-26T00:00:00", "datePublished": "2021-06-08T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-10-17T04:06:20.125839"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. An integer overflow problem allows a remote server to achieve Denial of Service when delivering responses to HTTP Range requests. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf"}, {"url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patch"}, {"name": "FEDORA-2021-c0bec55ec7", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/"}, {"name": "FEDORA-2021-24af72ff2c", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/"}, {"name": "[debian-lts-announce] 20210614 [SECURITY] [DLA 2685-1] squid3 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html"}, {"url": "https://security.netapp.com/advisory/ntap-20210716-0007/"}, {"name": "[oss-security] 20231011 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2023/10/11/3"}, {"name": "20231016 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": ["mailing-list"], "url": "http://seclists.org/fulldisclosure/2023/Oct/14"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:10:30.180Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf", "tags": ["x_transferred"]}, {"url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patch", "tags": ["x_transferred"]}, {"name": "FEDORA-2021-c0bec55ec7", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/"}, {"name": "FEDORA-2021-24af72ff2c", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/"}, {"name": "[debian-lts-announce] 20210614 [SECURITY] [DLA 2685-1] squid3 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html"}, {"url": "https://security.netapp.com/advisory/ntap-20210716-0007/", "tags": ["x_transferred"]}, {"name": "[oss-security] 20231011 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2023/10/11/3"}, {"name": "20231016 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": ["mailing-list", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2023/Oct/14"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*", "matchCriteriaId": "A9ED22D0-23B0-4441-91C9-CBC1C57A7D6D", "versionEndExcluding": "4.15", "versionStartIncluding": "3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*", "matchCriteriaId": "68801A75-0B13-444A-B88F-8BDD4EE953D3", "versionEndExcluding": "5.0.6", "versionStartIncluding": "5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:2.5.stable2:*:*:*:*:*:*:*", "matchCriteriaId": "3DBDF00F-0FCC-4C6B-8541-7FBF2FF79CEB", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:2.5.stable3:*:*:*:*:*:*:*", "matchCriteriaId": "1460A9BC-464D-47FC-9CDE-08E094E84520", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:2.5.stable4:*:*:*:*:*:*:*", "matchCriteriaId": "FA370C48-58E9-4A66-8CEB-01ABB90DDDF4", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:2.5.stable5:*:*:*:*:*:*:*", "matchCriteriaId": "F7D47FF1-44FC-4798-B7DB-45B3825496AF", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:2.5.stable6:*:*:*:*:*:*:*", "matchCriteriaId": "6AFABF40-3269-44D6-98BE-30030002BB40", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:2.5.stable7:*:*:*:*:*:*:*", "matchCriteriaId": "15D4C357-F4AC-4BB3-889D-0B76DB28D8A0", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:2.5.stable8:*:*:*:*:*:*:*", "matchCriteriaId": "B16B99BF-4DC3-4525-8153-B45287DB5BA1", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:2.5.stable9:*:*:*:*:*:*:*", "matchCriteriaId": "00A8E046-A375-442D-B96B-DBD2993652AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:2.5.stable10:*:*:*:*:*:*:*", "matchCriteriaId": "CE90AB17-3998-42D6-BB43-577C05BD8380", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:2.5.stable11:*:*:*:*:*:*:*", "matchCriteriaId": "6B516FB5-5779-4F81-812B-A321E3E711FE", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:2.5.stable12:*:*:*:*:*:*:*", "matchCriteriaId": "6DD5E8F7-19C7-4733-9A57-033572E8A78B", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:2.5.stable13:*:*:*:*:*:*:*", "matchCriteriaId": "EB55AD78-C3FA-4DC5-81F0-83CB1385AE5E", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:2.5.stable14:*:*:*:*:*:*:*", "matchCriteriaId": "2B43CE92-434B-4F93-9355-F9CD6D5959EF", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:2.6:*:*:*:*:*:*:*", "matchCriteriaId": "3AE100C3-0245-4305-B514-77D0572C2947", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:2.7:-:*:*:*:*:*:*", "matchCriteriaId": "A4E50120-7298-4BC5-AC36-708EFCCFA1F8", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:2.7:stable2:*:*:*:*:*:*", "matchCriteriaId": "EFBB466C-C679-4B4B-87C2-E7853E5B3F04", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:2.7:stable3:*:*:*:*:*:*", "matchCriteriaId": "A03692DD-779F-4E3C-861C-29943870A816", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:2.7:stable4:*:*:*:*:*:*", "matchCriteriaId": "79FF6B3C-A3CE-4AA2-80F9-44D05A6B2F08", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:2.7:stable5:*:*:*:*:*:*", "matchCriteriaId": "3CF6E367-D33B-4B60-8C40-4618C47D53E8", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:2.7:stable6:*:*:*:*:*:*", "matchCriteriaId": "0FA1F4FE-629C-4489-A13C-017A824C840F", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:2.7:stable7:*:*:*:*:*:*", "matchCriteriaId": "2479C5BF-94E1-4153-9FA3-333BC00F01D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:2.7:stable8:*:*:*:*:*:*", "matchCriteriaId": "8ABFCCCC-7584-466E-97CC-6EBD3934A70E", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:2.7:stable9:*:*:*:*:*:*", "matchCriteriaId": "F17E49BF-FB11-4EE6-B6AC-30914F381B2F", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:cloud_manager:-:*:*:*:*:*:*:*", "matchCriteriaId": "197D0D80-6702-4B61-B681-AFDBA7D69067", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. An integer overflow problem allows a remote server to achieve Denial of Service when delivering responses to HTTP Range requests. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent."}, {"lang": "es", "value": "Se ha detectado un problema en Squid versiones anteriores a 4.15 y en versiones 5.x anteriores a 5.0.6. Un problema de desbordamiento de enteros permite a un servidor remoto conseguir una Denegaci\u00f3n de Servicio cuando se entrega respuestas a peticiones de rango HTTP. El desencadenante del problema es un encabezado que puede esperarse que se presente en el tr\u00e1fico HTTP sin ninguna intenci\u00f3n maliciosa"}], "id": "CVE-2021-31807", "lastModified": "2023-11-07T03:35:00.180", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-08T20:15:09.057", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2023/Oct/14"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/10/11/3"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patch"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210716-0007/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Upstream acknowledges Joshua Rogers (Opera Software) as the original reporter.", "affected_release": [{"advisory": "RHSA-2021:4292", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "squid:4-8050020210618131503.b4937e53", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}], "bugzilla": {"description": "squid: incorrect memory management in HTTP Range header", "id": "1962597", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1962597"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. An integer overflow problem allows a remote server to achieve Denial of Service when delivering responses to HTTP Range requests. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent.", "An incorrect memory management flaw was found in Squid, where it is vulnerable to a denial of service attack against all clients using the proxy. The highest threat from this vulnerability is to system availability."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2021-31807", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "squid34", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2021-05-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-31807\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-31807\nhttps://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf"], "statement": "This issue has been rated as having a security impact of Moderate. At this stage in their life, Red Hat Enterprise Linux 6 and 7 only accept Important and Critical Security Advisories (RHSAs) and this flaw does not meet these criteria. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata.\nRed Hat Satellite does not ship the Squid package, however, does consume it from RHEL 7 repository. Product is not affected by this flaw as squid.conf configuration disables all the http_access fragments except the localhost.", "threat_severity": "Moderate", "upstream_fix": "squid 4.15, squid 5.0.6"}