Updated: 2025-04-15 00:30:30.494174
Description:
A buffer over-read was discovered in libntlmauth in Squid 2.5 through 5.6. Due to incorrect integer-overflow protection, the SSPI and SMB authentication helpers are vulnerable to reading unintended memory locations. In some configurations, cleartext credentials from these locations are sent to a client. This is fixed in 5.7.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0 | |
| CVSS Version 3.x | HIGH | 8.6 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| CentOS 6 ELS | squid | 3.1.23 | 8.6 | HIGH | Released | CLSA-2022:1665501369 | 2022-10-20 11:02:39 | |
| CentOS 6 ELS | squid34 | 3.4.14 | 8.6 | HIGH | Released | CLSA-2022:1665501511 | 2022-10-20 11:02:37 | |
| CentOS 8.4 ELS | squid | 4.11-4 | 8.6 | HIGH | Released | CLSA-2022:1665680640 | 2022-10-13 14:02:33 | |
| CentOS 8.5 ELS | squid | 4.15-1 | 8.6 | HIGH | Released | CLSA-2022:1665680517 | 2022-10-13 14:02:32 | |
| CloudLinux 6 ELS | squid | 3.1.23 | 8.6 | HIGH | Released | CLSA-2022:1665500999 | 2022-10-20 11:02:39 | |
| CloudLinux 6 ELS | squid34 | 3.4.14 | 8.6 | HIGH | Released | CLSA-2022:1665501126 | 2022-10-20 11:02:37 | |
| Oracle Linux 6 ELS | squid | 3.1.23 | 8.6 | HIGH | Released | CLSA-2022:1665501958 | 2022-10-11 14:02:35 | |
| Oracle Linux 6 ELS | squid34 | 3.4.14 | 8.6 | HIGH | Released | CLSA-2022:1665501668 | 2022-10-11 14:02:34 | |
| Ubuntu 16.04 ELS | squid | 3.5.12-1 | 8.6 | HIGH | Released | CLSA-2022:1665502073 | 2022-10-11 14:02:35 | |
| Ubuntu 18.04 ELS | squid | 3.5.27-1 | 8.6 | HIGH | Already Fixed | 2023-06-22 17:07:08 |