CVE-2020-24606

HIGH

Squid 3.0-4.12 and 5.x < 5.0.4 - Denial of Service via Crafted Cache Digest Response

Title source: llm
STIX 2.1

Description

Squid before 4.13 and 5.x before 5.0.4 allows a trusted peer to perform Denial of Service by consuming all available CPU cycles during handling of a crafted Cache Digest response message. This only occurs when cache_peer is used with the cache digests feature. The problem exists because peerDigestHandleReply() livelocking in peer_digest.cc mishandles EOF.

References (14)

Core 14
Core References
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4751
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4477-1/
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4551-1/
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210219-0007/
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210226-0006/

Scores

CVSS v3 8.6
EPSS 0.0634
EPSS Percentile 91.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Details

CWE
CWE-667
Status published
Products (11)
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 20.04
debian/debian_linux 9.0
debian/debian_linux 10.0
fedoraproject/fedora 31
fedoraproject/fedora 32
fedoraproject/fedora 33
opensuse/leap 15.1
opensuse/leap 15.2
... and 1 more
Published Aug 24, 2020
Tracked Since Feb 18, 2026