CVE-2021-28652
Publication date 27 May 2021
Last updated 24 July 2024
Ubuntu priority
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to incorrect parser validation, it allows a Denial of Service attack against the Cache Manager API. This allows a trusted client to trigger memory leaks that. over time, lead to a Denial of Service via an unspecified short query string. This attack is limited to clients with Cache Manager API access privilege.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| squid | 22.04 LTS jammy |
Fixed 4.13-10ubuntu1
|
| 20.04 LTS focal |
Fixed 4.10-1ubuntu1.4
|
|
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| squid3 | 22.04 LTS jammy | Not in release |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic |
Fixed 3.5.27-1ubuntu1.11
|
|
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Not in release |
Notes
mdeslaur
this issue only affects the Cache Manager, which is usually restricted to trusted clients only. The patch is intrusive to backport to 3.x versions, so we will not be fixing this issue in older releases. We recommend setting appropriate access control to limit connections from trusted clients.
Patch details
| Package | Patch details |
|---|---|
| squid |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
4.9 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | High |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-4981-1
- Squid vulnerabilities
- 3 June 2021