Lucene search

Redhat.comRH:CVE-2021-41611

HistoryOct 05, 2021 - 11:28 a.m.

CVE-2021-41611

2021-10-0511:28:03

redhat.com

access.redhat.com

squid proxy

certificates

security trust

confidentiality

integrity

tls

https

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

50.0%

JSON

The squid proxy package may incorrectly classify certain certificates as trusted. This can allow traffic to obtain security trust when the trust is not valid. The highest threat from this vulnerability is to confidentiality and integrity.

Mitigation

The only mitigation is complete denial to TLS and HTTPS servers publishing affected certificate chains. The set of affected servers varies over time.

acl vulnerableDomains dstdomain .example.net
http_access deny vulnerableDomains

References

bugzilla.redhat.com/show_bug.cgi?id=2010685

github.com/squid-cache/squid/security/advisories/GHSA-47m4-g3mv-9q5r

nvd.nist.gov/vuln/detail/CVE-2021-41611

www.cve.org/CVERecord?id=CVE-2021-41611

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

50.0%

JSON

Related for RH:CVE-2021-41611