{"id":"CVE-2018-1000027","details":"The Squid Software Foundation Squid HTTP Caching Proxy version prior to version 4.0.23 contains a NULL Pointer Dereference vulnerability in HTTP Response X-Forwarded-For header processing that can result in Denial of Service to all clients of the proxy. This attack appear to be exploitable via Remote HTTP server responding with an X-Forwarded-For header to certain types of HTTP request. This vulnerability appears to have been fixed in 4.0.23 and later.","modified":"2026-04-10T04:03:16.357695Z","published":"2018-02-09T23:29:00.870Z","related":["SUSE-SU-2018:0636-1","SUSE-SU-2018:0752-1","openSUSE-SU-2024:11403-1"],"references":[{"type":"WEB","url":"https://usn.ubuntu.com/4059-2/"},{"type":"ADVISORY","url":"https://github.com/squid-cache/squid/pull/129/files"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/02/msg00001.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3557-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4122"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/02/msg00002.html"},{"type":"FIX","url":"http://www.squid-cache.org/Advisories/SQUID-2018_2.txt"},{"type":"FIX","url":"http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2018_2.patch"},{"type":"FIX","url":"http://www.squid-cache.org/Versions/v4/changesets/SQUID-2018_2.patch"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/squid-cache/squid","events":[{"introduced":"0"},{"fixed":"787b41c3b0ef9b7330032a1947c5f93bd050f32a"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.0.23"}]}}],"versions":["HISTORIC_RELEASES","SQUID_3_0_PRE1","SQUID_3_0_PRE2","SQUID_3_0_PRE3","SQUID_3_0_PRE4","SQUID_3_0_PRE5","SQUID_3_0_PRE6","SQUID_3_0_PRE7","SQUID_3_0_RC1","SQUID_4_0_1","SQUID_4_0_10","SQUID_4_0_11","SQUID_4_0_12","SQUID_4_0_13","SQUID_4_0_14","SQUID_4_0_15","SQUID_4_0_16","SQUID_4_0_17","SQUID_4_0_18","SQUID_4_0_19","SQUID_4_0_2","SQUID_4_0_20","SQUID_4_0_21","SQUID_4_0_22","SQUID_4_0_3","SQUID_4_0_4","SQUID_4_0_5","SQUID_4_0_6","SQUID_4_0_7","SQUID_4_0_8","SQUID_4_0_9","take00"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"17.10"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1000027.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}