CVE-2009-2855

EPSS 60.66%
Published 18.08.2009 21:00:00
Last modified 09.04.2025 00:30:58
Source cve@mitre.org
Teams watchlist Login
Open Login

The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function.

Affected products Warnungen 0 Metrics 2 CWE 1 References 15

Data is provided by the National Vulnerability Database (NVD)

Squid-cache ≫ Squid Version2.7

Squid-cache ≫ Squid Version2.7 Updatestable3

Squid-cache ≫ Squid Version2.7 Updatestable4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	60.66%	0.982

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534982

http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=31%3Bfilename=diff%3Batt=1%3Bbug=534982

http://www.openwall.com/lists/oss-security/2009/07/20/10

http://www.openwall.com/lists/oss-security/2009/08/03/3

http://www.openwall.com/lists/oss-security/2009/08/04/6

http://www.securityfocus.com/bid/36091

http://www.securitytracker.com/id?1022757

http://www.squid-cache.org/bugs/show_bug.cgi?id=2541

http://www.squid-cache.org/bugs/show_bug.cgi?id=2704

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=518182

https://exchange.xforce.ibmcloud.com/vulnerabilities/52610

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10592

https://nvd.nist.gov/vuln/detail/CVE-2009-2855

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2009-2855

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2009-2855

EUVD