CVE-2020-24606
high-risk
Published 2020-08-24
Squid before 4.13 and 5.x before 5.0.4 allows a trusted peer to perform Denial of Service by consuming all available CPU cycles during handling of a crafted Cache Digest response message. This only occurs when cache_peer is used with the cache digests feature. The problem exists because peerDigestHandleReply() livelocking in peer_digest.cc mishandles EOF.
Do I need to act?
~
6.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.6/10
High
NETWORK
/ LOW complexity
Affected Products (11)
Affected Vendors
References (28)
Third Party Advisory
https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg
Third Party Advisory
https://security.netapp.com/advisory/ntap-20210219-0007/
Third Party Advisory
https://security.netapp.com/advisory/ntap-20210226-0006/
Third Party Advisory
https://usn.ubuntu.com/4477-1/
Third Party Advisory
https://usn.ubuntu.com/4551-1/
Third Party Advisory
https://www.debian.org/security/2020/dsa-4751
Third Party Advisory
https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg
and 8 more references
54
/ 100
high-risk
Severity
29/34 · Critical
Exploitability
9/34 · Low
Exposure
16/34 · Moderate