Vulnerability Name:

CVE-2007-1560 (CCN-33124)

Assigned:2007-03-20
Published:2007-03-20
Updated:2017-10-11
Summary:The clientProcessRequest() function in src/client_side.c in Squid 2.6 before 2.6.STABLE12 allows remote attackers to cause a denial of service (daemon crash) via crafted TRACE requests that trigger an assertion error.
CVSS v3 Severity:5.7 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C)
5.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2007-1560

Source: CCN
Type: RHSA-2007-0131
Moderate: squid security update

Source: CCN
Type: SA24611
Squid TRACE Request Denial of Service Vulnerability

Source: SECUNIA
Type: Patch, Vendor Advisory
24611

Source: SECUNIA
Type: Vendor Advisory
24614

Source: SECUNIA
Type: Vendor Advisory
24625

Source: SECUNIA
Type: Vendor Advisory
24662

Source: SECUNIA
Type: Vendor Advisory
24911

Source: GENTOO
Type: UNKNOWN
GLSA-200703-27

Source: CCN
Type: SECTRACK ID: 1017805
Squid TRACE Method Bug Lets Remote Users Deny Service

Source: CCN
Type: ASA-2007-163
squid security update (RHSA-2007-0131)

Source: CCN
Type: GLSA-200703-27
Squid: Denial of Service

Source: MANDRIVA
Type: UNKNOWN
MDKSA-2007:068

Source: SUSE
Type: UNKNOWN
SUSE-SR:2007:005

Source: REDHAT
Type: UNKNOWN
RHSA-2007:0131

Source: BID
Type: UNKNOWN
23085

Source: CCN
Type: BID-23085
Squid Proxy TRACE Request Remote Denial of Service Vulnerability

Source: SECTRACK
Type: UNKNOWN
1017805

Source: CCN
Type: Squid Web site
Squid Web Proxy Cache

Source: CCN
Type: SQUID-2007:1
Denial of service in TRACE method processing

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www.squid-cache.org/Advisories/SQUID-2007_1.txt

Source: CONFIRM
Type: UNKNOWN
http://www.squid-cache.org/Versions/v2/2.6/changesets/11349.patch

Source: CCN
Type: TLSA-2007-23
Squid denial of service attack

Source: CCN
Type: USN-441-1
Squid vulnerability

Source: UBUNTU
Type: UNKNOWN
USN-441-1

Source: VUPEN
Type: Vendor Advisory
ADV-2007-1035

Source: XF
Type: UNKNOWN
squid-clientprocessrequest-dos(33124)

Source: XF
Type: UNKNOWN
squid-clientprocessrequest-dos(33124)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:10291

Source: SUSE
Type: SUSE-SR:2007:005
SUSE Security Summary Report

Vulnerable Configuration:Configuration 1:
  • cpe:/a:squid:squid:2.6.stable1:*:*:*:*:*:*:*
  • OR cpe:/a:squid:squid:2.6.stable2:*:*:*:*:*:*:*
  • OR cpe:/a:squid:squid:2.6.stable3:*:*:*:*:*:*:*
  • OR cpe:/a:squid:squid:2.6.stable4:*:*:*:*:*:*:*
  • OR cpe:/a:squid:squid:2.6.stable5:*:*:*:*:*:*:*
  • OR cpe:/a:squid:squid:2.6.stable6:*:*:*:*:*:*:*
  • OR cpe:/a:squid:squid:2.6.stable7:*:*:*:*:*:*:*
  • OR cpe:/a:squid:squid:2.6.stable8:*:*:*:*:*:*:*
  • OR cpe:/a:squid:squid:2.6.stable9:*:*:*:*:*:*:*
  • OR cpe:/a:squid:squid:2.6.stable10:*:*:*:*:*:*:*
  • OR cpe:/a:squid:squid:2.6.stable11:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:5::client_workstation:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:squid-cache:squid:2.6.stable1:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable2:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable3:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable4:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable5:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable6:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable10:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable11:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable7:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable8:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable9:*:*:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:mandrakesoft:mandrake_multi_network_firewall:2.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2006:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2006::x86-64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2007:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2007::x86_64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0::x86_64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0::x86_64:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:client_workstation:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:22235
    P
    		ELSA-2007:0131: squid security update (Moderate)
    2014-05-26
    oval:org.mitre.oval:def:10291
    V
    		The clientProcessRequest() function in src/client_side.c in Squid 2.6 before 2.6.STABLE12 allows remote attackers to cause a denial of service (daemon crash) via crafted TRACE requests that trigger an assertion error.
    2013-04-29
    oval:org.opensuse.security:def:20071560
    V
    		CVE-2007-1560
    2012-07-03
    oval:com.redhat.rhsa:def:20070131
    P
    		RHSA-2007:0131: squid security update (Moderate)
    2007-04-03
    BACK
    squid squid 2.6.stable1
    squid squid 2.6.stable2
    squid squid 2.6.stable3
    squid squid 2.6.stable4
    squid squid 2.6.stable5
    squid squid 2.6.stable6
    squid squid 2.6.stable7
    squid squid 2.6.stable8
    squid squid 2.6.stable9
    squid squid 2.6.stable10
    squid squid 2.6.stable11
    squid-cache squid 2.6.stable1
    squid-cache squid 2.6.stable2
    squid-cache squid 2.6.stable3
    squid-cache squid 2.6.stable4
    squid-cache squid 2.6.stable5
    squid-cache squid 2.6.stable6
    squid-cache squid 2.6.stable10
    squid-cache squid 2.6.stable11
    squid-cache squid 2.6.stable7
    squid-cache squid 2.6.stable8
    squid-cache squid 2.6.stable9
    gentoo linux *
    mandrakesoft mandrake linux corporate server 3.0
    mandrakesoft mandrake multi network firewall 2.0
    mandrakesoft mandrake linux 2006
    mandrakesoft mandrake linux 2006
    mandrakesoft mandrake linux 2007
    mandrakesoft mandrake linux 2007
    mandrakesoft mandrake linux corporate server 4.0
    mandrakesoft mandrake linux corporate server 4.0
    mandrakesoft mandrake linux corporate server 3.0
    redhat enterprise linux 5
    redhat enterprise linux 5