CVE-2023-46728NULL Pointer Dereference in Squid

CWE-476NULL Pointer Dereference9 documents6 sources
Severity
7.5HIGHNVD
EPSS
2.3%
top 15.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Squid-cache SquidSquid
Timeline
PublishedNov 6
Latest updateDec 11

Description

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol is always available and enabled in Squid prior to Squid 6.0.1. Responses triggering this bug are possible to be received from any gopher server, even those without malicious intent. Gopher support has been removed in Squid version 6.0.1. Users are advised to upgrade. Users unable to

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5squid-cache/squid< 6.0.1
NVDsquid-cache/squid< 6.0.1
Debiansquid/squid< 4.13-10+deb11u5+3

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
squid3 vulnerabilities2023-12-11
OSV
squid vulnerabilities2023-11-21
CVEList
SQUID-2021:8 Denial of Service in Gopher gateway2023-11-06
OSV
CVE-2023-46728: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more2023-11-06

📋Vendor Advisories

4
Ubuntu
Squid vulnerabilities2023-12-11
Ubuntu
Squid vulnerabilities2023-11-21
Red Hat
squid: NULL pointer dereference in the gopher protocol code2023-09-26
Debian
CVE-2023-46728: squid - Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due ...2023