FKIE_CVE-2023-49285

Vulnerability from fkie_nvd - Published: 2023-12-04 23:15 - Updated: 2024-11-21 08:33
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
security-advisories@github.comhttp://www.squid-cache.org/Versions/v5/SQUID-2023_7.patchBroken Link
security-advisories@github.comhttp://www.squid-cache.org/Versions/v6/SQUID-2023_7.patchBroken Link
security-advisories@github.comhttps://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521bPatch
security-advisories@github.comhttps://github.com/squid-cache/squid/commit/deee944f9a12c9fd399ce52f3e2526bb573a9470Patch
security-advisories@github.comhttps://github.com/squid-cache/squid/security/advisories/GHSA-8w9r-p88v-mmx9Vendor Advisory
security-advisories@github.comhttps://lists.debian.org/debian-lts-announce/2024/01/msg00003.html
security-advisories@github.comhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/
security-advisories@github.comhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/
security-advisories@github.comhttps://security.netapp.com/advisory/ntap-20240119-0004/
af854a3a-2127-422b-91ae-364da2661108http://www.squid-cache.org/Versions/v5/SQUID-2023_7.patchBroken Link
af854a3a-2127-422b-91ae-364da2661108http://www.squid-cache.org/Versions/v6/SQUID-2023_7.patchBroken Link
af854a3a-2127-422b-91ae-364da2661108https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521bPatch
af854a3a-2127-422b-91ae-364da2661108https://github.com/squid-cache/squid/commit/deee944f9a12c9fd399ce52f3e2526bb573a9470Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/squid-cache/squid/security/advisories/GHSA-8w9r-p88v-mmx9Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20240119-0004/
Impacted products
Vendor Product Version
squid-cache squid *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "64A6EFAB-804C-4B6B-B609-2F5A797EACB0",
              "versionEndIncluding": "6.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability."
    },
    {
      "lang": "es",
      "value": "Squid es un proxy de almacenamiento en cach\u00e9 para la Web que admite HTTP, HTTPS, FTP y m\u00e1s. Debido a un error de sobrelectura del b\u00fafer, Squid es vulnerable a un ataque de denegaci\u00f3n de servicio contra el procesamiento de mensajes HTTP de Squid. Este error se solucion\u00f3 con la versi\u00f3n 6.5 de Squid. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
    }
  ],
  "id": "CVE-2023-49285",
  "lastModified": "2024-11-21T08:33:11.207",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-12-04T23:15:27.007",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Broken Link"
      ],
      "url": "http://www.squid-cache.org/Versions/v5/SQUID-2023_7.patch"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Broken Link"
      ],
      "url": "http://www.squid-cache.org/Versions/v6/SQUID-2023_7.patch"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/squid-cache/squid/commit/deee944f9a12c9fd399ce52f3e2526bb573a9470"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-8w9r-p88v-mmx9"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://security.netapp.com/advisory/ntap-20240119-0004/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "http://www.squid-cache.org/Versions/v5/SQUID-2023_7.patch"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "http://www.squid-cache.org/Versions/v6/SQUID-2023_7.patch"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/squid-cache/squid/commit/deee944f9a12c9fd399ce52f3e2526bb573a9470"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-8w9r-p88v-mmx9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.netapp.com/advisory/ntap-20240119-0004/"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-126"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-125"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.