{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-31808", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T23:10:30.120Z", "dateReserved": "2021-04-26T00:00:00", "datePublished": "2021-05-27T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-10-17T04:06:16.573947"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf"}, {"url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patch"}, {"name": "DSA-4924", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2021/dsa-4924"}, {"name": "FEDORA-2021-c0bec55ec7", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/"}, {"name": "FEDORA-2021-24af72ff2c", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/"}, {"name": "[debian-lts-announce] 20210614 [SECURITY] [DLA 2685-1] squid3 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html"}, {"url": "https://security.netapp.com/advisory/ntap-20210716-0007/"}, {"name": "[oss-security] 20231011 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2023/10/11/3"}, {"name": "20231016 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": ["mailing-list"], "url": "http://seclists.org/fulldisclosure/2023/Oct/14"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:10:30.120Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf", "tags": ["x_transferred"]}, {"url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patch", "tags": ["x_transferred"]}, {"name": "DSA-4924", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4924"}, {"name": "FEDORA-2021-c0bec55ec7", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/"}, {"name": "FEDORA-2021-24af72ff2c", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/"}, {"name": "[debian-lts-announce] 20210614 [SECURITY] [DLA 2685-1] squid3 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html"}, {"url": "https://security.netapp.com/advisory/ntap-20210716-0007/", "tags": ["x_transferred"]}, {"name": "[oss-security] 20231011 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2023/10/11/3"}, {"name": "20231016 Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days.", "tags": ["mailing-list", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2023/Oct/14"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*", "matchCriteriaId": "32AC0EE8-444B-447A-98E9-C22F82A6203C", "versionEndExcluding": "4.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*", "matchCriteriaId": "68801A75-0B13-444A-B88F-8BDD4EE953D3", "versionEndExcluding": "5.0.6", "versionStartIncluding": "5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:cloud_manager:-:*:*:*:*:*:*:*", "matchCriteriaId": "197D0D80-6702-4B61-B681-AFDBA7D69067", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Squid versiones anteriores a 4.15 y versiones 5.x anteriores a 5.0.6. Debido a un bug de comprobaci\u00f3n de entrada, es vulnerable a ataques de Denegaci\u00f3n de Servicio (contra todos los clientes que usan el proxy). Un cliente env\u00eda una petici\u00f3n HTTP Range para desencadenar esto"}], "id": "CVE-2021-31808", "lastModified": "2023-11-07T03:35:00.263", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-27T14:15:07.500", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2023/Oct/14"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/10/11/3"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patch"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210716-0007/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4924"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Upstream acknowledges Joshua Rogers (Opera Software) as the original reporter.", "affected_release": [{"advisory": "RHSA-2021:4292", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "squid:4-8050020210618131503.b4937e53", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}], "bugzilla": {"description": "squid: integer overflow in HTTP Range header", "id": "1962599", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1962599"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-190", "details": ["An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this.", "An integer overflow flaw was found in Squid, where it is vulnerable to a denial of service attack against all clients using the proxy. The highest threat from this vulnerability is to system availability."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2021-31808", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "squid34", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2021-05-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-31808\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-31808\nhttps://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf"], "statement": "This issue has been rated as having a security impact of Moderate. At this stage in their life, Red Hat Enterprise Linux 6 and 7 only accept Important and Critical Security Advisories (RHSAs) and this flaw does not meet these criteria. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata.\nRed Hat Satellite does not ship the Squid package, however, does consume it from RHEL 7 repository. Product is not affected by this flaw as squid.conf configuration disables all the http_access fragments except the localhost.", "threat_severity": "Moderate", "upstream_fix": "squid 4.15, squid 5.0.6"}