{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-45802", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-09T14:23:07.504Z", "datePublished": "2024-10-28T14:36:13.297Z", "dateUpdated": "2024-10-28T14:48:42.415Z"}, "containers": {"cna": {"title": "Squid Denial of Service", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj"}], "affected": [{"vendor": "squid-cache", "product": "squid", "versions": [{"version": ">= 3.0, < 6.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-28T14:36:13.297Z"}, "descriptions": [{"lang": "en", "value": "Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to Input Validation, Premature Release of Resource During Expected Lifetime, and Missing Release of Resource after Effective Lifetime bugs, Squid is vulnerable to Denial of Service attacks by a trusted server against all clients using the proxy. This bug is fixed in the default build configuration of Squid version 6.10."}], "source": {"advisory": "GHSA-f975-v7qw-q7hj", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "squid-cache", "product": "squid", "cpes": ["cpe:2.3:a:squid-cache:squid:3.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "3.0", "status": "affected", "lessThan": "6.10", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-28T14:47:34.303324Z", "id": "CVE-2024-45802", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-28T14:48:42.415Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-45802", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-28T14:47:34.303324Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:squid-cache:squid:3.0:*:*:*:*:*:*:*"], "vendor": "squid-cache", "product": "squid", "versions": [{"status": "affected", "version": "3.0", "lessThan": "6.10", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-28T14:48:37.033Z"}}], "cna": {"title": "Squid Denial of Service", "source": {"advisory": "GHSA-f975-v7qw-q7hj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "squid-cache", "product": "squid", "versions": [{"status": "affected", "version": ">= 3.0, < 6.10"}]}], "references": [{"url": "https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj", "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to Input Validation, Premature Release of Resource During Expected Lifetime, and Missing Release of Resource after Effective Lifetime bugs, Squid is vulnerable to Denial of Service attacks by a trusted server against all clients using the proxy. This bug is fixed in the default build configuration of Squid version 6.10."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-10-28T14:36:13.297Z"}}}, "cveMetadata": {"cveId": "CVE-2024-45802", "state": "PUBLISHED", "dateUpdated": "2024-10-28T14:48:42.415Z", "dateReserved": "2024-09-09T14:23:07.504Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-10-28T14:36:13.297Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*", "matchCriteriaId": "269E064C-AAF8-4A48-BBAB-76A37C1A0684", "versionEndExcluding": "6.10", "versionStartIncluding": "3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to Input Validation, Premature Release of Resource During Expected Lifetime, and Missing Release of Resource after Effective Lifetime bugs, Squid is vulnerable to Denial of Service attacks by a trusted server against all clients using the proxy. This bug is fixed in the default build configuration of Squid version 6.10."}, {"lang": "es", "value": "Squid es un proxy de almacenamiento en cach\u00e9 de c\u00f3digo abierto para la Web compatible con HTTP, HTTPS, FTP y m\u00e1s. Debido a errores de validaci\u00f3n de entrada, liberaci\u00f3n prematura de recursos durante el tiempo de vida \u00fatil esperado y falta de liberaci\u00f3n de recursos despu\u00e9s del tiempo de vida \u00fatil efectivo, Squid es vulnerable a ataques de denegaci\u00f3n de servicio por parte de un servidor confiable contra todos los clientes que utilicen el proxy. Este error se corrigi\u00f3 en la configuraci\u00f3n de compilaci\u00f3n predeterminada de la versi\u00f3n 6.10 de Squid."}], "id": "CVE-2024-45802", "lastModified": "2024-11-05T16:45:52.027", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-10-28T15:15:04.857", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:9738", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "squid-7:3.5.20-17.el7_9.11", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2024-11-14T00:00:00Z"}, {"advisory": "RHSA-2024:9644", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "squid:4-8100020241113143337.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-11-14T00:00:00Z"}, {"advisory": "RHSA-2024:9624", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "squid:4-8020020241112142652.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-11-14T00:00:00Z"}, {"advisory": "RHSA-2024:9625", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "squid-7:5.5-14.el9_5.3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-14T00:00:00Z"}, {"advisory": "RHSA-2024:9729", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "squid-7:5.2-1.el9_0.7", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-11-14T00:00:00Z"}, {"advisory": "RHSA-2024:9677", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "squid-7:5.5-5.el9_2.8", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-11-14T00:00:00Z"}, {"advisory": "RHSA-2024:9678", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "squid-7:5.5-13.el9_4.2", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2024-11-14T00:00:00Z"}], "bugzilla": {"description": "squid: Denial of Service processing ESI response content", "id": "2322154", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2322154"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-20", "details": ["Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to Input Validation, Premature Release of Resource During Expected Lifetime, and Missing Release of Resource after Effective Lifetime bugs, Squid is vulnerable to Denial of Service attacks by a trusted server against all clients using the proxy. This bug is fixed in the default build configuration of Squid version 6.10.", "A flaw was found in Squid. Due to input validation and resource management issues, a denial of service may be triggered during the processing of certain Edge Side Includes (ESI) response content."], "mitigation": {"lang": "en:us", "value": "This bug was mitigated by the default upstream build configuration of Squid since version 6.10."}, "name": "CVE-2024-45802", "public_date": "2024-10-28T14:36:13Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-45802\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-45802\nhttps://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj"], "statement": "All builds of Squid shipped in supported versions of Red Hat Enterprise Linux are built with the vulnerable (ESI) feature enabled.", "threat_severity": "Important"}