{ "threat_severity" : "Moderate", "public_date" : "2016-04-20T00:00:00Z", "bugzilla" : { "description" : "squid: multiple issues in ESI processing", "id" : "1329136", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1329136" }, "cvss" : { "cvss_base_score" : "5.1", "cvss_scoring_vector" : "AV:N/AC:H/Au:N/C:P/I:P/A:P", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "Multiple stack-based buffer overflows in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote HTTP servers to cause a denial of service or execute arbitrary code via crafted Edge Side Includes (ESI) responses.", "Buffer overflow and input validation flaws were found in the way Squid processed ESI responses. If Squid was used as a reverse proxy, or for TLS/HTTPS interception, a remote attacker able to control ESI components on an HTTP server could use these flaws to crash Squid, disclose parts of the stack memory, or possibly execute arbitrary code as the user running Squid." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2016-05-31T00:00:00Z", "advisory" : "RHSA-2016:1138", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "squid-7:3.1.23-16.el6_8.4" }, { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2016-05-31T00:00:00Z", "advisory" : "RHSA-2016:1140", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "squid34-7:3.4.14-9.el6_8.3" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2016-05-31T00:00:00Z", "advisory" : "RHSA-2016:1139", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "squid-7:3.3.8-26.el7_2.3" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Not affected", "package_name" : "squid", "cpe" : "cpe:/o:redhat:enterprise_linux:5" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-4052\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-4052\nhttp://www.squid-cache.org/Advisories/SQUID-2016_6.txt" ], "name" : "CVE-2016-4052", "csaw" : false }