CVE-2021-28652

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2021-28652
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to incorrect parser validation, it allows a Denial of Service attack against the Cache Manager API. This allows a trusted client to trigger memory leaks that. over time, lead to a Denial of Service via an unspecified short query string. This attack is limited to clients with Cache Manager API access privilege.

4.9 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

4.0 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:N/I:N/A:P

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References
Link Resource
http://seclists.org/fulldisclosure/2023/Oct/14 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/11/3 Mailing List Third Party Advisory
https://bugs.squid-cache.org/show_bug.cgi?id=5106 Exploit Issue Tracking Vendor Advisory
https://github.com/squid-cache/squid/security/advisories/GHSA-m47m-9hvw-7447 Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/
https://www.debian.org/security/2021/dsa-4924 Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
History

07 Nov 2023, 03:32

Type Values Removed Values Added
References
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/', 'name': 'FEDORA-2021-c0bec55ec7', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/', 'name': 'FEDORA-2021-24af72ff2c', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/ -
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/ -

24 Oct 2023, 14:46

Type Values Removed Values Added
References (FULLDISC) http://seclists.org/fulldisclosure/2023/Oct/14 - (FULLDISC) http://seclists.org/fulldisclosure/2023/Oct/14 - Mailing List, Third Party Advisory
References (MLIST) http://www.openwall.com/lists/oss-security/2023/10/11/3 - (MLIST) http://www.openwall.com/lists/oss-security/2023/10/11/3 - Mailing List, Third Party Advisory

17 Oct 2023, 05:15

Type Values Removed Values Added
References
  • (FULLDISC) http://seclists.org/fulldisclosure/2023/Oct/14 -

11 Oct 2023, 12:15

Type Values Removed Values Added
References
  • (MLIST) http://www.openwall.com/lists/oss-security/2023/10/11/3 -
Information

Published : 2021-05-27 12:15

Updated : 2024-02-28 18:28

NVD link : CVE-2021-28652

Mitre link : CVE-2021-28652

CVE.ORG link : CVE-2021-28652

JSON object : View

Products Affected

debian

  • debian_linux

squid-cache

  • squid

fedoraproject

  • fedora
CWE
CWE-401

Missing Release of Memory after Effective Lifetime