CVE-2023-46728
published 2023-11-06CVE-2023-46728: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service…
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
5.96%
92.4th percentile
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol is always available and enabled in Squid prior to Squid 6.0.1. Responses triggering this bug are possible to be received from any gopher server, even those without malicious intent. Gopher support has been removed in Squid version 6.0.1. Users are advised to upgrade. Users unable to upgrade should reject all gopher URL requests.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | squid | < squid 5.7-2+deb12u5 (bookworm) | squid 5.7-2+deb12u5 (bookworm) |
| squid-cache | squid | < 6.0.1 | 6.0.1 |
| squid | squid | >= 0 < 4.13-10+deb11u5 | 4.13-10+deb11u5 |
| squid | squid | >= 0 < 5.7-2+deb12u5 | 5.7-2+deb12u5 |
| squid | squid | >= 0 < 6.1-1 | 6.1-1 |
| squid | squid | >= 0 < 6.1-1 | 6.1-1 |
| squid | squid | >= 0 < 4.10-1ubuntu1.8 | 4.10-1ubuntu1.8 |
| squid | squid | >= 0 < 5.7-0ubuntu0.22.04.2 | 5.7-0ubuntu0.22.04.2 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_ubuntu8.6HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
squid3 vulnerabilities
osv·2023-12-11·CVSS 7.5
CVE-2023-46728 [HIGH] squid3 vulnerabilities
squid3 vulnerabilities
USN-6500-1 fixed several vulnerabilities in Squid. This update provides
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
Original advisory details:
Joshua Rogers discovered that Squid incorrectly handled the Gopher
protocol. A remote attacker could possibly use this issue to cause Squid to
crash, resulting in a denial of service. Gopher support has been disabled
in this update. (CVE-2023-46728)
Joshua Rogers discovered that Squid incorrectly handled HTTP Digest
Authentication. A remote attacker could possibly use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2023-46847)
OSV
squid vulnerabilities
osv·2023-11-21·CVSS 7.5
CVE-2023-46724 [HIGH] squid vulnerabilities
squid vulnerabilities
Joshua Rogers discovered that Squid incorrectly handled validating certain
SSL certificates. A remote attacker could possibly use this issue to cause
Squid to crash, resulting in a denial of service. This issue only affected
Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10. (CVE-2023-46724)
Joshua Rogers discovered that Squid incorrectly handled the Gopher
protocol. A remote attacker could possibly use this issue to cause Squid to
crash, resulting in a denial of service. Gopher support has been disabled
in this update. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04
LTS, and Ubuntu 23.04. (CVE-2023-46728)
Keran Mu and Jianjun Chen discovered that Squid incorrectly handled the
chunked decoder. A remote attacker could possibly use this issue to perform
HTTP r
OSV
CVE-2023-46728: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more
osv·2023-11-06·CVSS 7.5
CVE-2023-46728 [HIGH] CVE-2023-46728: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol is always available and enabled in Squid prior to Squid 6.0.1. Responses triggering this bug are possible to be received from any gopher server, even those without malicious intent. Gopher support has been removed in Squid version 6.0.1. Users are advised to upgrade. Users unable to upgrade should reject all gopher URL requests.
Ubuntu
Squid vulnerabilities
vendor_ubuntu·2023-12-11·CVSS 7.5
CVE-2023-46847 [HIGH] Squid vulnerabilities
Title: Squid vulnerabilities
Summary: Several security issues were fixed in Squid.
USN-6500-1 fixed several vulnerabilities in Squid. This update provides
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
Original advisory details:
Joshua Rogers discovered that Squid incorrectly handled the Gopher
protocol. A remote attacker could possibly use this issue to cause Squid to
crash, resulting in a denial of service. Gopher support has been disabled
in this update. (CVE-2023-46728)
Joshua Rogers discovered that Squid incorrectly handled HTTP Digest
Authentication. A remote attacker could possibly use this issue to cause
Squid to crash, resulting in a denial of service. (CVE-2023-46847)
Instructions: In general, a standard system update will make all the necessary changes
Ubuntu
Squid vulnerabilities
vendor_ubuntu·2023-11-21·CVSS 8.6
CVE-2023-46724 [HIGH] Squid vulnerabilities
Title: Squid vulnerabilities
Summary: Several security issues were fixed in Squid.
Joshua Rogers discovered that Squid incorrectly handled validating certain
SSL certificates. A remote attacker could possibly use this issue to cause
Squid to crash, resulting in a denial of service. This issue only affected
Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10. (CVE-2023-46724)
Joshua Rogers discovered that Squid incorrectly handled the Gopher
protocol. A remote attacker could possibly use this issue to cause Squid to
crash, resulting in a denial of service. Gopher support has been disabled
in this update. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04
LTS, and Ubuntu 23.04. (CVE-2023-46728)
Keran Mu and Jianjun Chen discovered that Squid incorrectly handled the
chunked decoder. A r
Red Hat
squid: NULL pointer dereference in the gopher protocol code
vendor_redhat·2023-09-26·CVSS 7.5
CVE-2023-46728 [HIGH] CWE-476 squid: NULL pointer dereference in the gopher protocol code
squid: NULL pointer dereference in the gopher protocol code
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol is always available and enabled in Squid prior to Squid 6.0.1. Responses triggering this bug are possible to be received from any gopher server, even those without malicious intent. Gopher support has been removed in Squid version 6.0.1. Users are advised to upgrade. Users unable to upgrade should reject all gopher URL requests.
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gate
Debian
CVE-2023-46728: squid - Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due ...
vendor_debian·2023·CVSS 7.5
CVE-2023-46728 [HIGH] CVE-2023-46728: squid - Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due ...
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol is always available and enabled in Squid prior to Squid 6.0.1. Responses triggering this bug are possible to be received from any gopher server, even those without malicious intent. Gopher support has been removed in Squid version 6.0.1. Users are advised to upgrade. Users unable to upgrade should reject all gopher URL requests.
Scope: local
bookworm: resolved (fixed in 5.7-2+deb12u5)
bullseye: resolved (fixed in 4.13-10+deb11u5)
forky: resolved (fixed in 6.1-1)
sid: resolved (fixed in 6.1-1)
trixie: resolved (fixed in 6.1-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/squid-cache/squid/commit/6ea12e8fb590ac6959e9356a81aa3370576568c3https://github.com/squid-cache/squid/security/advisories/GHSA-cg5h-v6vc-w33fhttps://lists.fedoraproject.org/archives/list/[email protected]/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/https://lists.fedoraproject.org/archives/list/[email protected]/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/https://security.netapp.com/advisory/ntap-20231214-0006/https://github.com/squid-cache/squid/commit/6ea12e8fb590ac6959e9356a81aa3370576568c3https://github.com/squid-cache/squid/security/advisories/GHSA-cg5h-v6vc-w33fhttps://lists.debian.org/debian-lts-announce/2025/09/msg00027.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/https://lists.fedoraproject.org/archives/list/[email protected]/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/https://security.netapp.com/advisory/ntap-20231214-0006/
2023-11-06
Published