Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2023-46728

Published: 06/11/2023 Updated: 29/12/2023
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 0
Subscribe to Squid-cache

Vulnerability Summary

Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 up to and including 5.9 and 6.0 before 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages. (CVE-2023-46724) Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol is always available and enabled in Squid prior to Squid 6.0.1. Responses triggering this bug are possible to be received from any gopher server, even those without malicious intent. Gopher support has been removed in Squid version 6.0.1. Users are advised to upgrade. Users unable to upgrade should reject all gopher URL requests. (CVE-2023-46728)

Vulnerable Product Search on Vulmon Subscribe to Product

squid-cache squid

Vendor Advisories

Red Hat: Important: squid:4 security update
Synopsis Important: squid:4 security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the squid:4 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update a ...
Red Hat: Important: squid security update
Synopsis Important: squid security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for squid is now available for Red Hat Enterprise Linux 9Red Hat Product Security has rated this update as having a secu ...
Red Hat: Important: squid:4 security update
Synopsis Important: squid:4 security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the squid:4 module is now available for Red Hat Enterprise Linux 86 Extended Update SupportRed Hat Product Securi ...
Red Hat: Important: squid:4 security update
Synopsis Important: squid:4 security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the squid:4 module is now available for Red Hat Enterprise Linux 82 Advanced Update Support, Red Hat Enterprise Li ...
Red Hat: Important: squid:4 security update
Synopsis Important: squid:4 security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the squid:4 module is now available for Red Hat Enterprise Linux 84 Advanced Mission Critical Update Support, Red ...
Amazon Linux 2: ALAS-2023-2354
Squid is a caching proxy for the Web Due to an Improper Validation of Specified Index bug, Squid versions 3301 through 59 and 60 prior to 64 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation This problem allows a remote server to perform Denial of Service against Squid Proxy by i ...
Amazon Linux AMI: ALAS-2023-1885
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway The gopher protocol is always available and enabled in Squid prior to Squid 601 Responses triggering this bug are possible to be received from any goph ...

References

CWE-476https://github.com/squid-cache/squid/commit/6ea12e8fb590ac6959e9356a81aa3370576568c3https://github.com/squid-cache/squid/security/advisories/GHSA-cg5h-v6vc-w33fhttps://security.netapp.com/advisory/ntap-20231214-0006/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/https://nvd.nist.govhttps://access.redhat.com/errata/RHSA-2024:0046https://alas.aws.amazon.com/AL2/ALAS-2023-2354.html
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
blind SQL injectionCVE-2006-4304CVE-2023-26603CVE-2024-28327CVE-2023-50363CVE-2024-21905template injectionCVE-2024-3400cross-site request forgery
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook