CVE-2024-37894: 
Squid vulnerability analysis and mitigation

Squid, a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more, was found to contain a vulnerability identified as CVE-2024-37894. The vulnerability was discovered by Joshua Rogers of Opera Software and was disclosed on June 25, 2024. This security issue affects Squid versions 3.0 through 3.5.28, 4.0 through 4.16, 5.0 through 5.9, and 6.0 through 6.9 when built with ESI feature enabled (GitHub Advisory).

The vulnerability is classified as an Out-of-bounds Write error that occurs when assigning ESI variables, which can lead to Memory Corruption. The issue has been assigned a CVSS v3.1 base score of 6.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H. The vulnerability is specifically limited to Squid installations acting as reverse proxy where the ESI feature has been enabled at build time (GitHub Advisory).

When successfully exploited, this vulnerability can result in a Denial of Service (DoS) attack. The impact affects all domains being serviced by the proxy and all clients using it during the affected period. The trigger for this issue involves values that clients might normally expect to use in valid ESI response content, suggesting that this issue could occur even without malicious exploitation (GitHub Advisory).

The vulnerability has been fixed in Squid version 6.10. For earlier versions, patches addressing this problem are available in the patch archives. As a workaround, administrators can build Squid with --disable-esi. For Squid-3.0 versions, building without --enable-esi also prevents the vulnerability. Users of prepackaged versions of Squid should refer to their package vendor for availability of updated packages (GitHub Advisory).