CVE-2016-2390

MEDIUM

Squid < 3.5.14 and 4.0.x < 4.0.6 - Denial of Service via SSL Handshake Error Handling

Title source: llm
STIX 2.1

Description

The FwdState::connectedToPeer method in FwdState.cc in Squid before 3.5.14 and 4.0.x before 4.0.6 does not properly handle SSL handshake errors when built with the --with-openssl option, which allows remote attackers to cause a denial of service (application crash) via a plaintext HTTP message.

References (7)

Core 7
Core References
Vendor Advisory x_refsource_confirm
http://www.squid-cache.org/Advisories/SQUID-2016_1.txt
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1035045
Various Sources x_refsource_confirm
http://bugs.squid-cache.org/show_bug.cgi?id=4437

Scores

CVSS v3 5.9
EPSS 0.2555
EPSS Percentile 97.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-20
Status published
Products (3)
squid-cache/squid 4.0.4
squid-cache/squid 4.0.5
squid-cache/squid < 3.5.13
Published Apr 19, 2016
Tracked Since Feb 18, 2026