Squid
Monthly
Squid versions prior to 7.5 contain a heap use-after-free vulnerability (CWE-416) in ICP (Internet Cache Protocol) traffic handling that enables remote attackers to reliably trigger denial of service against affected proxy services. The vulnerability affects any Squid deployment with ICP support explicitly enabled via non-zero icp_port configuration, and cannot be mitigated through access control rules alone. A patch is available in version 7.5, and the vulnerability has been confirmed across multiple Debian releases and SUSE distributions.
Squid prior to version 7.5 contains an out-of-bounds read vulnerability in ICP (Internet Cache Protocol) traffic handling due to improper input validation, classified as CWE-125. Remote attackers can exploit this to leak small amounts of process memory potentially containing sensitive information by sending malformed ICP requests to deployments with explicitly enabled ICP support (non-zero icp_port configuration). The vulnerability affects all versions of Squid before 7.5, and while no CVSS score or EPSS data is currently available, the information disclosure impact and remote attack vector indicate moderate to significant risk for affected deployments.
Squid through 7.1 mishandles ASN.1 encoding of long SNMP OIDs. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
Squid is a caching proxy for the Web. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Squid versions prior to 7.5 contain a heap use-after-free vulnerability (CWE-416) in ICP (Internet Cache Protocol) traffic handling that enables remote attackers to reliably trigger denial of service against affected proxy services. The vulnerability affects any Squid deployment with ICP support explicitly enabled via non-zero icp_port configuration, and cannot be mitigated through access control rules alone. A patch is available in version 7.5, and the vulnerability has been confirmed across multiple Debian releases and SUSE distributions.
Squid prior to version 7.5 contains an out-of-bounds read vulnerability in ICP (Internet Cache Protocol) traffic handling due to improper input validation, classified as CWE-125. Remote attackers can exploit this to leak small amounts of process memory potentially containing sensitive information by sending malformed ICP requests to deployments with explicitly enabled ICP support (non-zero icp_port configuration). The vulnerability affects all versions of Squid before 7.5, and while no CVSS score or EPSS data is currently available, the information disclosure impact and remote attack vector indicate moderate to significant risk for affected deployments.
Squid through 7.1 mishandles ASN.1 encoding of long SNMP OIDs. Rated medium severity (CVSS 4.0), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
Squid is a caching proxy for the Web. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.