Updated: 2025-08-20 02:45:59.046205
Description:
A buffer over-read was discovered in libntlmauth in Squid 2.5 through 5.6. Due to incorrect integer-overflow protection, the SSPI and SMB authentication helpers are vulnerable to reading unintended memory locations. In some configurations, cleartext credentials from these locations are sent to a client. This is fixed in 5.7.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0.0 | |
| CVSS Version 3.x | HIGH | 8.6 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| CentOS 6 ELS | squid34 | 3.4.14 | 8.6 | HIGH | Released | CLSA-2022:1665501511 | 2022-10-20 11:02:37 | |
| CentOS 6 ELS | squid | 3.1.23 | 8.6 | HIGH | Released | CLSA-2022:1665501369 | 2022-10-20 11:02:39 | |
| CentOS 7 ELS | squid | 3.5.20 | 8.6 | HIGH | Already Fixed | 2025-11-18 06:53:11 | ||
| CentOS 8.4 ELS | squid | 4.11-4 | 8.6 | HIGH | Released | CLSA-2022:1665680640 | 2022-10-13 14:02:33 | |
| CentOS 8.5 ELS | squid | 4.15-1 | 8.6 | HIGH | Released | CLSA-2022:1665680517 | 2022-10-13 14:02:32 | |
| CloudLinux 6 ELS | squid34 | 3.4.14 | 8.6 | HIGH | Released | CLSA-2022:1665501126 | 2022-10-20 11:02:37 | |
| CloudLinux 6 ELS | squid | 3.1.23 | 8.6 | HIGH | Released | CLSA-2022:1665500999 | 2022-10-20 11:02:39 | |
| Debian 10 ELS | squid | 4.6.0 | 8.6 | HIGH | Already Fixed | 2025-10-15 20:15:04 | ||
| Oracle Linux 6 ELS | squid | 3.1.23 | 8.6 | HIGH | Released | CLSA-2022:1665501958 | 2022-10-11 14:02:35 | |
| Oracle Linux 6 ELS | squid34 | 3.4.14 | 8.6 | HIGH | Released | CLSA-2022:1665501668 | 2022-10-11 14:02:34 |