CVE-2023-46724
published 2023-11-01CVE-2023-46724: Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
4.01%
89.3th percentile
Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | squid | < squid 5.7-2+deb12u1 (bookworm) | squid 5.7-2+deb12u1 (bookworm) |
| squid-cache | squid | — | — |
| squid-cache | squid | >= 3.3.0.1 < 6.4 | 6.4 |
| squid | squid | >= 0 < 4.13-10+deb11u3 | 4.13-10+deb11u3 |
| squid | squid | >= 0 < 5.7-2+deb12u1 | 5.7-2+deb12u1 |
| squid | squid | >= 0 < 6.5-1 | 6.5-1 |
| squid | squid | >= 0 < 6.5-1 | 6.5-1 |
| squid | squid | >= 0 < 4.10-1ubuntu1.8 | 4.10-1ubuntu1.8 |
| squid | squid | >= 0 < 5.7-0ubuntu0.22.04.2 | 5.7-0ubuntu0.22.04.2 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian8.6HIGH
vendor_redhat8.6HIGH
vendor_ubuntu8.6HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
squid vulnerabilities
osv·2023-11-21·CVSS 7.5
CVE-2023-46724 [HIGH] squid vulnerabilities
squid vulnerabilities
Joshua Rogers discovered that Squid incorrectly handled validating certain
SSL certificates. A remote attacker could possibly use this issue to cause
Squid to crash, resulting in a denial of service. This issue only affected
Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10. (CVE-2023-46724)
Joshua Rogers discovered that Squid incorrectly handled the Gopher
protocol. A remote attacker could possibly use this issue to cause Squid to
crash, resulting in a denial of service. Gopher support has been disabled
in this update. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04
LTS, and Ubuntu 23.04. (CVE-2023-46728)
Keran Mu and Jianjun Chen discovered that Squid incorrectly handled the
chunked decoder. A remote attacker could possibly use this issue to perform
HTTP r
OSV
CVE-2023-46724: Squid is a caching proxy for the Web
osv·2023-11-01·CVSS 7.5
CVE-2023-46724 [HIGH] CVE-2023-46724: Squid is a caching proxy for the Web
Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages.
Ubuntu
Squid vulnerabilities
vendor_ubuntu·2023-11-21·CVSS 8.6
CVE-2023-46724 [HIGH] Squid vulnerabilities
Title: Squid vulnerabilities
Summary: Several security issues were fixed in Squid.
Joshua Rogers discovered that Squid incorrectly handled validating certain
SSL certificates. A remote attacker could possibly use this issue to cause
Squid to crash, resulting in a denial of service. This issue only affected
Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10. (CVE-2023-46724)
Joshua Rogers discovered that Squid incorrectly handled the Gopher
protocol. A remote attacker could possibly use this issue to cause Squid to
crash, resulting in a denial of service. Gopher support has been disabled
in this update. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04
LTS, and Ubuntu 23.04. (CVE-2023-46728)
Keran Mu and Jianjun Chen discovered that Squid incorrectly handled the
chunked decoder. A r
Red Hat
squid: Denial of Service in SSL Certificate validation
vendor_redhat·2023-11-01·CVSS 8.6
CVE-2023-46724 [HIGH] CWE-125 squid: Denial of Service in SSL Certificate validation
squid: Denial of Service in SSL Certificate validation
Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability
Debian
CVE-2023-46724: squid - Squid is a caching proxy for the Web. Due to an Improper Validation of Specified...
vendor_debian·2023·CVSS 8.6
CVE-2023-46724 [HIGH] CVE-2023-46724: squid - Squid is a caching proxy for the Web. Due to an Improper Validation of Specified...
Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages.
Scope: local
bookworm:
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.squid-cache.org/Versions/v5/SQUID-2023_4.patchhttp://www.squid-cache.org/Versions/v6/SQUID-2023_4.patchhttps://github.com/squid-cache/squid/commit/b70f864940225dfe69f9f653f948e787f99c3810https://github.com/squid-cache/squid/security/advisories/GHSA-73m6-jm96-c6r3https://lists.fedoraproject.org/archives/list/[email protected]/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/https://lists.fedoraproject.org/archives/list/[email protected]/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/https://security.netapp.com/advisory/ntap-20231208-0001/http://www.squid-cache.org/Versions/v5/SQUID-2023_4.patchhttp://www.squid-cache.org/Versions/v6/SQUID-2023_4.patchhttps://github.com/squid-cache/squid/commit/b70f864940225dfe69f9f653f948e787f99c3810https://github.com/squid-cache/squid/security/advisories/GHSA-73m6-jm96-c6r3https://lists.fedoraproject.org/archives/list/[email protected]/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/https://lists.fedoraproject.org/archives/list/[email protected]/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/https://security.netapp.com/advisory/ntap-20231208-0001/
2023-11-01
Published