CVE-2018-1000027

HIGH

Squid Software Foundation Squid <4.0.23 - DoS

Title source: llm
STIX 2.1

Description

The Squid Software Foundation Squid HTTP Caching Proxy version prior to version 4.0.23 contains a NULL Pointer Dereference vulnerability in HTTP Response X-Forwarded-For header processing that can result in Denial of Service to all clients of the proxy. This attack appear to be exploitable via Remote HTTP server responding with an X-Forwarded-For header to certain types of HTTP request. This vulnerability appears to have been fixed in 4.0.23 and later.

References (9)

Core 9
Core References
Vendor Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4059-2/
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3557-1/
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4122
Patch, Vendor Advisory x_refsource_confirm
http://www.squid-cache.org/Advisories/SQUID-2018_2.txt
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/02/msg00001.html
Third Party Advisory x_refsource_confirm
https://github.com/squid-cache/squid/pull/129/files
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/02/msg00002.html

Scores

CVSS v3 7.5
EPSS 0.1315
EPSS Percentile 95.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-476
Status published
Products (7)
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 17.10
debian/debian_linux 7.0
debian/debian_linux 8.0
debian/debian_linux 9.0
squid-cache/squid < 4.0.23
Published Feb 09, 2018
Tracked Since Feb 18, 2026