Vulnerability CVE-2009-2855

Vulnerability Name:

CVE-2009-2855 (CCN-52610)

Assigned:

2009-06-28

Published:

2009-06-28

Updated:

2017-09-19

Summary:

The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
4.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
4.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

2.9 Low (REDHAT CVSS v2 Vector: AV:A/AC:M/Au:N/C:N/I:N/A:P)
2.3 Low (REDHAT Temporal CVSS v2 Vector: AV:A/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Adjacent_Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-20

Vulnerability Consequences:

Denial of Service

References:

Vulnerable Configuration:

Configuration 1:

cpe:/a:squid-cache:squid:2.7:-:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:2.7:stable3:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:2.7:stable4:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:5::client_workstation:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

Configuration CCN 1:

cpe:/a:squid-cache:squid:2.7.stable3:*:*:*:*:*:*:*

AND

cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:*

OR cpe:/a:mandrakesoft:mandrake_multi_network_firewall:2.0:*:*:*:*:*:*:*

OR cpe:/o:canonical:ubuntu:6.06::lts:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0::x86_64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0::x86_64:*:*:*:*:*

OR cpe:/o:turbolinux:turbolinux:fuji:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:5:*:client_workstation:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2008.0::x86-64:*:*:*:*:*

OR cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2008.0:*:*:*:*:*:*:*

OR cpe:/o:canonical:ubuntu:8.04::lts:*:*:*:*:*

OR cpe:/o:debian:debian_linux:5.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20092855	V	CVE-2009-2855	2022-05-20
oval:org.opensuse.security:def:42439	P	Security update for qemu (Important)	2022-04-20
oval:org.opensuse.security:def:31374	P	Security update for libsndfile (Important)	2022-01-05
oval:org.opensuse.security:def:32252	P	Security update for chrony (Moderate)	2021-12-22
oval:org.opensuse.security:def:26185	P	Security update for xorg-x11-server (Important)	2021-12-20
oval:org.opensuse.security:def:31324	P	Security update for the Linux Kernel (Live Patch 41 for SLE 12 SP3) (Important)	2021-12-14
oval:org.opensuse.security:def:32240	P	Security update for the Linux Kernel (Live Patch 41 for SLE 12 SP3) (Important)	2021-12-14
oval:org.opensuse.security:def:42228	P	Security update for krb5 (Moderate)	2021-12-06
oval:org.opensuse.security:def:31716	P	Security update for mozilla-nss (Important)	2021-12-06
oval:org.opensuse.security:def:31300	P	Security update for MozillaFirefox (Important)	2021-11-17
oval:org.opensuse.security:def:32214	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:32213	P	Security update for binutils (Moderate)	2021-11-09
oval:org.opensuse.security:def:26158	P	Security update for binutils (Moderate)	2021-11-02
oval:org.opensuse.security:def:31289	P	Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)	2021-10-18
oval:org.opensuse.security:def:31288	P	Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)	2021-10-18
oval:org.opensuse.security:def:26147	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:29432	P	Security update for apache2 (Important)	2021-10-06
oval:org.opensuse.security:def:26128	P	Security update for postgresql13 (Moderate)	2021-09-16
oval:org.opensuse.security:def:32995	P	Security update for file (Important)	2021-09-02
oval:org.opensuse.security:def:32164	P	Security update for java-1_8_0-openjdk (Important)	2021-08-20
oval:org.opensuse.security:def:26103	P	Security update for the Linux Kernel (Important)	2021-08-10
oval:org.opensuse.security:def:26089	P	Security update for MozillaFirefox (Important)	2021-07-16
oval:org.opensuse.security:def:32956	P	Security update for openexr (Important)	2021-06-24
oval:org.opensuse.security:def:32127	P	Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)	2021-06-18
oval:org.opensuse.security:def:31192	P	Security update for MozillaFirefox (Important)	2021-06-08
oval:org.opensuse.security:def:36294	P	squid-2.7.STABLE5-2.12.16.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:42701	P	squid-2.7.STABLE5-2.12.16.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:32106	P	Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)	2021-06-04
oval:org.opensuse.security:def:32108	P	Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)	2021-06-04
oval:org.opensuse.security:def:26050	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:26047	P	Security update for xen (Important)	2021-05-12
oval:org.opensuse.security:def:32070	P	Security update for clamav (Important)	2021-04-14
oval:org.opensuse.security:def:32064	P	Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)	2021-04-07
oval:org.opensuse.security:def:26211	P	Security update for glib2 (Important)	2021-03-16
oval:org.opensuse.security:def:32274	P	Security update for glib2 (Important)	2021-03-16
oval:org.opensuse.security:def:31742	P	Security update for git (Important)	2021-03-09
oval:org.opensuse.security:def:29468	P	Security update for wpa_supplicant (Important)	2021-02-15
oval:org.opensuse.security:def:31655	P	Security update for MozillaFirefox (Important)	2021-01-29
oval:org.opensuse.security:def:32020	P	Security update for cyrus-sasl (Important)	2020-12-28
oval:org.opensuse.security:def:31560	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:32003	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:35821	P	squid-2.7.STABLE5-2.10.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:36032	P	squid-2.7.STABLE5-2.12.12.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:35638	P	squid-2.7.STABLE5-2.4.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:42045	P	squid-2.7.STABLE5-2.4.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:25582	P	Security update for libX11 (Important)	2020-12-01
oval:org.opensuse.security:def:28216	P	Security update for libquicktime (Moderate)	2020-12-01
oval:org.opensuse.security:def:25907	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:27257	P	pam_krb5 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31106	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:31584	P	Security update for tcpdump	2020-12-01
oval:org.opensuse.security:def:32390	P	Security update for tomcat6 (Moderate)	2020-12-01
oval:org.opensuse.security:def:26522	P	apache2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31926	P	Recommended update for ghostscript-library (Important)	2020-12-01
oval:org.opensuse.security:def:25265	P	Security update for mgetty (Moderate)	2020-12-01
oval:org.opensuse.security:def:25923	P	Security update for util-linux (Moderate)	2020-12-01
oval:org.opensuse.security:def:31954	P	Security update for gstreamer-0_10-plugins-base (Important)	2020-12-01
oval:org.opensuse.security:def:32536	P	kdelibs3 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25855	P	Security update for flash-player (Critical)	2020-12-01
oval:org.opensuse.security:def:31416	P	Security update for php53 (Important)	2020-12-01
oval:org.opensuse.security:def:32370	P	Recommended update for tboot (Moderate)	2020-12-01
oval:org.opensuse.security:def:31978	P	Security update for java-1_7_1-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:25766	P	Security update for mariadb (Important)	2020-12-01
oval:org.opensuse.security:def:28734	P	Security update for kvm (Important)	2020-12-01
oval:org.opensuse.security:def:25575	P	Security update for libX11 (Important)	2020-12-01
oval:org.opensuse.security:def:26269	P	Security update for python3-requests (Moderate)	2020-12-01
oval:org.opensuse.security:def:26603	P	libsnmp15-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25581	P	Security update for perl-XML-Twig (Moderate)	2020-12-01
oval:org.opensuse.security:def:28086	P	Security update for gd (Moderate)	2020-12-01
oval:org.opensuse.security:def:25868	P	Security update for pcre (Moderate)	2020-12-01
oval:org.opensuse.security:def:26357	P	Security update for enigmail (Important)	2020-12-01
oval:org.opensuse.security:def:31510	P	Security update for libX11 (Moderate)	2020-12-01
oval:org.opensuse.security:def:32333	P	Security update for samba (Moderate)	2020-12-01
oval:org.opensuse.security:def:31882	P	Security update for dnsmasq (Important)	2020-12-01
oval:org.opensuse.security:def:33257	P	squid on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25201	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:25866	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:28593	P	Security update for openvpn	2020-12-01
oval:org.opensuse.security:def:32514	P	ft2demos on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26820	P	squid on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25844	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:31952	P	Security update for grub2 (Important)	2020-12-01
oval:org.opensuse.security:def:31846	P	Security update for clamav (Important)	2020-12-01
oval:org.opensuse.security:def:25615	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:28695	P	Security update for gimp	2020-12-01
oval:org.opensuse.security:def:32318	P	Security update for rsync (Moderate)	2020-12-01
oval:org.opensuse.security:def:25447	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:32799	P	tomcat6 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28022	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:31598	P	Security update for tiff (Moderate)	2020-12-01
oval:org.opensuse.security:def:32633	P	apache2-mod_jk on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26313	P	Security update for python-requests (Moderate)	2020-12-01
oval:org.opensuse.security:def:32603	P	squid on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31499	P	Security update for python-paramiko (Important)	2020-12-01
oval:org.opensuse.security:def:25948	P	Security update for libraw (Moderate)	2020-12-01
oval:org.opensuse.security:def:31860	P	Security update for curl (Moderate)	2020-12-01
oval:org.opensuse.security:def:33218	P	openssh on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25190	P	Security update for virglrenderer (Important)	2020-12-01
oval:org.opensuse.security:def:25785	P	Security update for flash-player (Critical)	2020-12-01
oval:org.opensuse.security:def:28441	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:32475	P	Security update for xscreensaver (Moderate)	2020-12-01
oval:org.opensuse.security:def:26785	P	mozilla-xulrunner192 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25843	P	Security update for python (Moderate)	2020-12-01
oval:org.opensuse.security:def:31865	P	Security update for curl (Moderate)	2020-12-01
oval:org.opensuse.security:def:26619	P	ntp on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31772	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:25531	P	Security update for ucode-intel (Moderate)	2020-12-01
oval:org.opensuse.security:def:26473	P	Security update for Chromium (Important)	2020-12-01
oval:org.opensuse.security:def:33520	P	Security update for squid	2020-12-01
oval:org.opensuse.security:def:25383	P	Security update for libX11 (Moderate)	2020-12-01
oval:org.opensuse.security:def:31898	P	Security update for MozillaFirefox, mozilla-nss (Important)	2020-12-01
oval:org.opensuse.security:def:32777	P	python-sssd-config on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27030	P	squid on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28011	P	Security update for apache2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:31506	P	Security update for python27 (Important)	2020-12-01
oval:org.opensuse.security:def:26299	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:32564	P	libpython2_6-1_0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31498	P	Security update for python-numpy (Important)	2020-12-01
oval:org.opensuse.security:def:25797	P	Security update for flash-player (Important)	2020-12-01
oval:org.opensuse.security:def:31821	P	Security update for avahi (Moderate)	2020-12-01
oval:org.opensuse.security:def:32580	P	mozilla-xulrunner191 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25189	P	Security update for ucode-intel (Moderate)	2020-12-01
oval:org.opensuse.security:def:25657	P	Security update for graphviz (Low)	2020-12-01
oval:org.opensuse.security:def:28357	P	Security update for postgresql94 (Moderate)	2020-12-01
oval:org.opensuse.security:def:32426	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:25965	P	Security update for xorg-x11-server (Important)	2020-12-01
oval:org.opensuse.security:def:31118	P	Security update for krb5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:31808	P	Security update for apache2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:25819	P	Security update for python-tornado (Moderate)	2020-12-01
oval:org.opensuse.security:def:26575	P	krb5-doc on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32785	P	squid on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31761	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:25474	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:32042	P	Security update for krb5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:33481	P	Security update for libnetpbm	2020-12-01
oval:org.opensuse.security:def:25372	P	Security update for LibVNCServer (Important)	2020-12-01
oval:org.opensuse.security:def:32738	P	libxcrypt on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26995	P	nagios-plugins on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28010	P	Security update for apache2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:26260	P	Security update for Mesa (Moderate)	2020-12-01
oval:org.opensuse.security:def:28794	P	Security update for mozilla-nspr, mozilla-nss	2020-12-01
oval:org.opensuse.security:def:32032	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:25713	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:28646	P	Security update for compat-openssl097g (Moderate)	2020-12-01
oval:org.opensuse.security:def:25593	P	Security update for openvpn (Moderate)	2020-12-01
oval:org.opensuse.security:def:28300	P	Security update for netpbm (Moderate)	2020-12-01
oval:org.opensuse.security:def:25921	P	Recommended update for mariadb (Important)	2020-12-01
oval:org.opensuse.security:def:27292	P	squid on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31107	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:32477	P	Security update for zlib (Moderate)	2020-12-01
oval:org.opensuse.security:def:26561	P	gstreamer-0_10-plugins-good on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32746	P	mailman on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31760	P	Security update for MozillaFirefox (Critical)	2020-12-01
oval:org.opensuse.security:def:25393	P	Security update for libqt5-qtbase (Important)	2020-12-01
oval:org.opensuse.security:def:26007	P	Security update for libid3tag (Moderate)	2020-12-01
oval:org.opensuse.security:def:32843	P	curl on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25371	P	Security update for python-ipaddress (Important)	2020-12-01
oval:org.opensuse.security:def:25919	P	Security update for libplist (Moderate)	2020-12-01
oval:org.opensuse.security:def:31473	P	Security update for procmail	2020-12-01
oval:org.opensuse.security:def:32689	P	kdebase3-runtime on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26001	P	Security update for openexr (Moderate)	2020-12-01
oval:org.opensuse.security:def:28750	P	Security update for libmpfr	2020-12-01
oval:org.opensuse.security:def:32021	P	Security update for kernel-firmware (Moderate)	2020-12-01
oval:org.opensuse.security:def:25656	P	Security update for spice-gtk (Moderate)	2020-12-01
oval:org.opensuse.security:def:26420	P	Security update for phpMyAdmin (Moderate)	2020-12-01
oval:org.opensuse.security:def:26638	P	squid on GA media (Moderate)	2020-12-01
oval:org.mitre.oval:def:13281	P	USN-901-1 -- squid vulnerabilities	2014-06-30
oval:org.mitre.oval:def:13267	P	DSA-1991-1 squid/squid3 -- denial of service	2014-06-23
oval:org.mitre.oval:def:7325	P	DSA-1991 squid/squid3 -- denial of service	2014-06-23
oval:org.mitre.oval:def:22519	P	ELSA-2010:0221: squid security and bug fix update (Low)	2014-05-26
oval:org.mitre.oval:def:22197	P	RHSA-2010:0221: squid security and bug fix update (Low)	2014-02-24
oval:org.mitre.oval:def:10592	V	The strListGetItem function in src/HttpHeaderTools.c in Squid 2.7 allows remote attackers to cause a denial of service via a crafted auth header with certain comma delimiters that trigger an infinite loop of calls to the strcspn function.	2013-04-29
oval:com.redhat.rhsa:def:20100221	P	RHSA-2010:0221: squid security and bug fix update (Low)	2010-03-30
oval:org.debian:def:1991	V	denial of service	2010-02-04

BACK