CVE-2023-46724

EPSS 0.49%
Published 01.11.2023 20:15:08
Last modified 13.02.2025 18:15:36
Source security-advisories@github.com
Teams watchlist Login
Open Login

Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages.

Affected products Warnungen 0 Metrics 3 CWE 6 References 10

Data is provided by the National Vulnerability Database (NVD)

Squid-cache ≫ Squid Version >= 3.3.0.1 < 6.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.49%	0.647

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	8.6	3.9	4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input

The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.

CWE-129 Improper Validation of Array Index

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

CWE-786 Access of Memory Location Before Start of Buffer

The product reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.

CWE-823 Use of Out-of-range Pointer Offset

The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.

http://www.squid-cache.org/Versions/v5/SQUID-2023_4.patch

Patch

Mailing List

http://www.squid-cache.org/Versions/v6/SQUID-2023_4.patch

Patch

Mailing List

https://github.com/squid-cache/squid/commit/b70f864940225dfe69f9f653f948e787f99c3810

Patch

https://github.com/squid-cache/squid/security/advisories/GHSA-73m6-jm96-c6r3

Vendor Advisory

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/

https://security.netapp.com/advisory/ntap-20231208-0001/

https://nvd.nist.gov/vuln/detail/CVE-2023-46724

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-46724

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-46724

EUVD