CVE-2023-49285

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://www.squid-cache.org/Versions/v5/SQUID-2023_7.patch	Broken Link
http://www.squid-cache.org/Versions/v6/SQUID-2023_7.patch	Broken Link
https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b	Patch
https://github.com/squid-cache/squid/commit/deee944f9a12c9fd399ce52f3e2526bb573a9470	Patch
https://github.com/squid-cache/squid/security/advisories/GHSA-8w9r-p88v-mmx9	Vendor Advisory
https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/
https://security.netapp.com/advisory/ntap-20240119-0004/

Configurations

Configuration 1 (hide)

cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*

History

19 Jan 2024, 16:15

Type	Values Removed	Values Added
References		() https://security.netapp.com/advisory/ntap-20240119-0004/ -

09 Jan 2024, 02:15

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html -

29 Dec 2023, 03:15

Type	Values Removed	Values Added
References		() https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/ -

08 Dec 2023, 17:30

Type	Values Removed	Values Added
CPE		cpe:2.3:a:squid-cache:squid::::::::
CWE	~~CWE-126~~	CWE-125
First Time		Squid-cache Squid-cache squid
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~() http://www.squid-cache.org/Versions/v5/SQUID-2023_7.patch -~~	() http://www.squid-cache.org/Versions/v5/SQUID-2023_7.patch - Broken Link
References	~~() https://github.com/squid-cache/squid/security/advisories/GHSA-8w9r-p88v-mmx9 -~~	() https://github.com/squid-cache/squid/security/advisories/GHSA-8w9r-p88v-mmx9 - Vendor Advisory
References	~~() https://github.com/squid-cache/squid/commit/deee944f9a12c9fd399ce52f3e2526bb573a9470 -~~	() https://github.com/squid-cache/squid/commit/deee944f9a12c9fd399ce52f3e2526bb573a9470 - Patch
References	~~() https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b -~~	() https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b - Patch
References	~~() http://www.squid-cache.org/Versions/v6/SQUID-2023_7.patch -~~	() http://www.squid-cache.org/Versions/v6/SQUID-2023_7.patch - Broken Link

04 Dec 2023, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-04 23:15

Updated : 2024-01-19 16:15

NVD link : CVE-2023-49285

Mitre link : CVE-2023-49285

CVE.ORG link : CVE-2023-49285

JSON object : View

Products Affected

squid-cache

squid

CWE

CWE-125

Out-of-bounds Read

CWE-126

Buffer Over-read

7.5 /10