CVE-2023-49285 — Buffer Over-read in Squid

CWE-126 — Buffer Over-read CWE-125 — Out-of-bounds Read9 documents6 sources

Severity

7.5HIGHNVD

CNA8.6

EPSS

8.2%

top 7.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Squid Squid-cache Squid

Timeline

PublishedDec 4

Latest updateJun 27

Description

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶Debiansquid/squid< 4.13-10+deb11u3+3

▶Ubuntusquid/squid< 4.10-1ubuntu1.9+1

▶NVDsquid-cache/squid6.4

▶CVEListV5squid-cache/squid>= 2.2, < 6.5

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

squid3 vulnerabilities↗2024-06-27

▶

OSV

squid vulnerabilities↗2024-01-23

▶

CVEList

Denial of Service in HTTP Message Processing in Squid↗2023-12-04

▶

OSV

CVE-2023-49285: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more↗2023-12-04

▶

📋Vendor Advisories

Ubuntu

Squid vulnerabilities↗2024-06-27

▶

Ubuntu

Squid vulnerabilities↗2024-01-23

▶

Red Hat

squid: Buffer over-read in the HTTP Message processing feature↗2023-12-04

▶

Debian

CVE-2023-49285: squid - Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due ...↗2023

▶