CVE-2020-14058

Updated: 2024-11-30 02:27:32.040704

Description:

An issue was discovered in Squid before 4.12 and 5.x before 5.0.3. Due to use of a potentially dangerous function, Squid and the default certificate validation helper are vulnerable to a Denial of Service when opening a TLS connection to an attacker-controlled server for HTTPS. This occurs because unrecognized error values are mapped to NULL, but later code expects that each error value is mapped to a valid error string.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x MEDIUM 5
CVSS Version 3.x HIGH 7.5

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement

CentOS 6 ELS squid34 3.4.14 7.5 HIGH Released CLSA-2021:1632262221 2022-05-05 12:36:55
CentOS 6 ELS squid 3.1.23 7.5 HIGH Released CLSA-2021:1629902677 2022-05-05 12:00:38
CloudLinux 6 ELS squid 3.1.23 7.5 HIGH Released 2022-04-28 15:57:41
CloudLinux 6 ELS squid34 3.4.14 7.5 HIGH Released 2022-04-28 15:57:41
Oracle Linux 6 ELS squid 3.1.23 7.5 HIGH Released CLSA-2021:1634925600 2022-04-28 15:57:41
Oracle Linux 6 ELS squid34 3.4.14 7.5 HIGH Released CLSA-2021:1634925634 2022-04-28 15:57:41
Ubuntu 16.04 ELS squid 3.5.12-1 7.5 HIGH Not Vulnerable 2022-04-28 15:57:41