Description
An issue was discovered in Squid through 4.7. When handling the tag esi:when when ESI is enabled, Squid calls ESIExpression::Evaluate. This function uses a fixed stack buffer to hold the expression while it's being evaluated. When processing the expression, it could either evaluate the top of the stack, or add a new member to the stack. When adding a new member, there is no check to ensure that the stack won't overflow.
Remediation
References
Related Vulnerabilities
Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-5479)
Apache 2.x version older than 2.2.10
Contao Incorrect Default Permissions Vulnerability (CVE-2019-19712)
Drupal Core 8.x.x Cross-Site Request Forgery (8.0.0 - 8.7.14)
WordPress Plugin Image Gallery-Responsive Photo Gallery Cross-Site Scripting (2.0.5)