HTTP: Squid Proxy ESI Component Stack Buffer Overflow

A stack-based buffer overflow vulnerability has been reported in the Edge Side Includes (ESI) component of the Squid proxy. Successful exploitation allows the attacker to execute arbitrary code on the target under context of the service.

Extended Description

Buffer overflow in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allows remote attackers to execute arbitrary code via crafted Edge Side Includes (ESI) responses.

Affected Products

Squid-cache squid

References

CVE: CVE-2016-4054

Short Name
HTTP:PROXY:SQUID-ESI-BO
Severity
Major
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
Buffer CVE-2016-4054 Component ESI Overflow Proxy Squid Stack
Release Date
05/19/2016
Supported Platforms

srx-branch-19.3

vsrx3bsd-19.2

srx-19.4

vsrx3bsd-19.4

srx-branch-19.4

vsrx-19.4

vsrx-19.2

srx-19.3

srx-branch-12.3

mx-12.3

mx-19.4

vmx-19.4

mx-19.3

vsrx-12.3

vmx-19.3

srx-12.3

Sigpack Version
3625
False Positive
Unknown
Vendors

Oracle

Squid-cache

Canonical

CVSS Score

6.8

Found a potential security threat?