|Summary:||<net-proxy/squid-4.15: out-of-bounds read in WCCP protocol data may lead to information disclosure (CVE-2021-28116)|
|Product:||Gentoo Security||Reporter:||John Helmert III <ajak>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||C2 [glsa+ cve]|
|Package list:||Runtime testing required:||---|
Description John Helmert III 2021-03-10 02:55:32 UTC
CVE-2021-28116: Squid through 4.14 and 5.x through 5.0.5, in some configurations, allows information disclosure because of an out-of-bounds read in WCCP protocol data. This can be leveraged as part of a chain for remote code execution as nobody. Not much information available but this CVE itself only appears to be information disclosure, and apparently no public fix yet.
Comment 1 Mikle Kolyada 2021-05-17 08:06:16 UTC
4.15 is in stable now.
Comment 2 Thomas Deutschmann 2021-05-24 16:13:15 UTC
> This can be leveraged as part of a chain for remote code execution as nobody. This will get a GLSA, new GLSA request filed.