CVE-2021-41611

An issue was discovered in Squid 5.0.6 through 5.1.x before 5.2. When validating an origin server or peer certificate, Squid may incorrectly classify certain certificates as trusted. This problem allows a remote server to obtain security trust well improperly. This indication of trust may be passed along to clients, allowing access to unsafe or hijacked services.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.openwall.com/lists/oss-security/2021/12/23/2	Mailing List Third Party Advisory
http://www.squid-cache.org/Versions/v6/changesets/squid-6-43d6b5c81b88ec2256b430c69a872a1e4f324e4a.patch	Vendor Advisory
https://github.com/squid-cache/squid/security/advisories/GHSA-47m4-g3mv-9q5r	Patch Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CWQ2WKDWTSO47S3F6XJJ6HGG2ULWEAE4/

Configurations

Configuration 1 (hide)

cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

History

07 Nov 2023, 03:38

Type	Values Removed	Values Added
References	{'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWQ2WKDWTSO47S3F6XJJ6HGG2ULWEAE4/', 'name': 'FEDORA-2021-15d2f70a07', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CWQ2WKDWTSO47S3F6XJJ6HGG2ULWEAE4/ -

Information

Published : 2021-10-18 09:15

Updated : 2024-02-28 18:48

NVD link : CVE-2021-41611

Mitre link : CVE-2021-41611

CVE.ORG link : CVE-2021-41611

JSON object : View

Products Affected

fedoraproject

fedora

squid-cache

squid

CWE

CWE-295

Improper Certificate Validation

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2021-41611

7.5^/10

5.0^/10

Attach tags to `CVE-2021-41611`