CVE-2016-2390
MEDIUMSquid < 3.5.14 and 4.0.x < 4.0.6 - Denial of Service via SSL Handshake Error Handling
Title source: llmDescription
The FwdState::connectedToPeer method in FwdState.cc in Squid before 3.5.14 and 4.0.x before 4.0.6 does not properly handle SSL handshake errors when built with the --with-openssl option, which allows remote attackers to cause a denial of service (application crash) via a plaintext HTTP message.
References (7)
Core 7
Core References
Vendor Advisory x_refsource_confirm
http://www.squid-cache.org/Advisories/SQUID-2016_1.txt
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1035045
Vendor Advisory mailing-list
x_refsource_mlist
http://lists.squid-cache.org/pipermail/squid-announce/2016-February/000038.html
Vendor Advisory mailing-list
x_refsource_mlist
http://lists.squid-cache.org/pipermail/squid-announce/2016-February/000037.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html
Various Sources x_refsource_confirm
http://bugs.squid-cache.org/show_bug.cgi?id=4437
Scores
CVSS v3
5.9
EPSS
0.2555
EPSS Percentile
97.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-20
Status
published
Products (3)
squid-cache/squid
4.0.4
squid-cache/squid
4.0.5
squid-cache/squid
< 3.5.13
Published
Apr 19, 2016
Tracked Since
Feb 18, 2026