CVE-2022-41318

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-41318
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41318.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-41318
Downstream
Related
Published
2022-12-25T19:15:10Z
Modified
2025-10-21T07:14:41.765863Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

A buffer over-read was discovered in libntlmauth in Squid 2.5 through 5.6. Due to incorrect integer-overflow protection, the SSPI and SMB authentication helpers are vulnerable to reading unintended memory locations. In some configurations, cleartext credentials from these locations are sent to a client. This is fixed in 5.7.

References

Affected packages

Git / github.com/squid-cache/squid

Affected ranges

Type
GIT
Repo
https://github.com/squid-cache/squid
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
5bb2694408e7a42897e9efe775361579d8864de8

Affected versions

Other

BASIC_TPROXY4
HISTORIC_RELEASES
M-staged-PR161
M-staged-PR164
M-staged-PR170
M-staged-PR176
M-staged-PR179
M-staged-PR181
M-staged-PR182
M-staged-PR186
M-staged-PR189
M-staged-PR193
M-staged-PR195
M-staged-PR196
M-staged-PR198
M-staged-PR199
M-staged-PR200
M-staged-PR202
M-staged-PR206
M-staged-PR208
M-staged-PR209
M-staged-PR210
M-staged-PR218
M-staged-PR220
M-staged-PR221
M-staged-PR225
M-staged-PR227
M-staged-PR229
M-staged-PR230
M-staged-PR235
M-staged-PR237
M-staged-PR238
M-staged-PR239
M-staged-PR241
M-staged-PR242
M-staged-PR252
M-staged-PR255
M-staged-PR258
M-staged-PR264
M-staged-PR266
M-staged-PR267
M-staged-PR268
M-staged-PR274
M-staged-PR276
M-staged-PR293
M-staged-PR294
M-staged-PR295
M-staged-PR299
M-staged-PR306
M-staged-PR314
M-staged-PR319
M-staged-PR342
M-staged-PR345
M-staged-PR348
M-staged-PR351
M-staged-PR359
M-staged-PR364
M-staged-PR365
M-staged-PR366
M-staged-PR370
M-staged-PR372
M-staged-PR373
M-staged-PR375
M-staged-PR376
SQUID_3_0_PRE1
SQUID_3_0_PRE2
SQUID_3_0_PRE3
SQUID_3_0_PRE4
SQUID_3_0_PRE5
SQUID_3_0_PRE6
SQUID_3_0_PRE7
SQUID_3_0_RC1
SQUID_3_5_27
SQUID_4_0_1
SQUID_4_0_10
SQUID_4_0_11
SQUID_4_0_12
SQUID_4_0_13
SQUID_4_0_14
SQUID_4_0_15
SQUID_4_0_16
SQUID_4_0_2
SQUID_4_0_3
SQUID_4_0_4
SQUID_4_0_5
SQUID_4_0_6
SQUID_4_0_7
SQUID_4_0_8
SQUID_4_0_9
SQUID_5_0_1
SQUID_5_0_2
SQUID_5_0_3
SQUID_5_0_4
SQUID_5_0_5
SQUID_5_0_6
SQUID_5_0_7
SQUID_5_1
SQUID_5_2
SQUID_5_3
SQUID_5_4_1
SQUID_5_5
SQUID_5_6
for-libecap-v0p1
merge-candidate-3-v1
merge-candidate-3-v2
sourceformat-review-1
take00
take01
take02
take03
take04
take06
take07
take08
take09
take1
take2

BumpSslServerFirst.*

BumpSslServerFirst.take01
BumpSslServerFirst.take02
BumpSslServerFirst.take03
BumpSslServerFirst.take04
BumpSslServerFirst.take05
BumpSslServerFirst.take06
BumpSslServerFirst.take07
BumpSslServerFirst.take08
BumpSslServerFirst.take09
BumpSslServerFirst.take10

Database specific

vanir_signatures

[
    {
        "id": "CVE-2022-41318-0a2a77c1",
        "target": {
            "file": "src/ssl/support.cc"
        },
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "157750309172091702582925428005493227867",
                "218881333121098214655110636846154953560",
                "206051021408544867493777671469714873892",
                "70933281598196939590700626067890505816",
                "237286626667678540720639229716632419352",
                "12908433598266290249320675408114387116",
                "185234433191157783139533113985827305669",
                "91207162898924998580933656119642315529",
                "12830155845411348948611201853498301870",
                "98043717554064422388750680731084828886"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://github.com/squid-cache/squid/commit/5bb2694408e7a42897e9efe775361579d8864de8"
    },
    {
        "id": "CVE-2022-41318-1f50be07",
        "target": {
            "function": "Ssl::Initialize",
            "file": "src/ssl/support.cc"
        },
        "signature_version": "v1",
        "digest": {
            "length": 2417.0,
            "function_hash": "188390915243848524858308343346591833357"
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/squid-cache/squid/commit/5bb2694408e7a42897e9efe775361579d8864de8"
    },
    {
        "id": "CVE-2022-41318-f2e2486f",
        "target": {
            "file": "src/security/ServerOptions.cc"
        },
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "284090572366065137028192422215588986250",
                "19951007384723126726267253642941680731",
                "156669495693973190387507273863492603738",
                "301758475509959629984069537199932148530",
                "97161342785240974768606456605877618890",
                "169523640118712761496248132354948595410",
                "167510253363874404944685795350416904550",
                "135929239310644637345597208847357782135"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://github.com/squid-cache/squid/commit/5bb2694408e7a42897e9efe775361579d8864de8"
    }
]