CVE-2021-31806

MEDIUM

Squid < 4.15 - Denial of Service

Title source: rule

Description

An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a memory-management bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy) via HTTP Range request processing.

Exploits (1)

metasploit WORKING POC

by Joshua Rogers · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/http/squid_range_dos.rb

View Code ZIP pw:eip

References (9)

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2023/Oct/14

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2023/10/11/3

[Patch, Vendor Advisory] http://www.squid-cache.org/Versions/v4/changesets/squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patch

[Patch, Third Party Advisory] https://github.com/squid-cache/squid/security/advisories/GHSA-pxwq-f3qr-w2xf

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2021/06/msg00014.html

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20210716-0007/

[Third Party Advisory] https://www.debian.org/security/2021/dsa-4924

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQ3U54ZCNXR44QRPW3AV2VCS6K3TKCF/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4EPIWUZDJAXADDHVOPKRBTQHPBR6H66/

Scores

CVSS v3 6.5

EPSS 0.8518

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-116

Status published

Products (6)

debian/debian_linux 9.0

debian/debian_linux 10.0

fedoraproject/fedora 33

fedoraproject/fedora 34

netapp/cloud_manager

squid-cache/squid < 4.15

Published May 27, 2021

Tracked Since Feb 18, 2026