Denial of Service in HTTP Message Processing in Squid
CVE-2023-49285

8.6HIGH

Key Information:

Vendor

Squid-cache

Status
Squid
Vendor
CVE Published:
4 December 2023

What is CVE-2023-49285?

The Squid Proxy is susceptible to a Buffer Overread vulnerability that can lead to Denial of Service (DoS) attacks through improper handling of HTTP messages. This flaw is present in version 6.4 and earlier of the software, making it crucial for users to upgrade to version 6.5 or later to secure their systems. Currently, there are no recommended workarounds, emphasizing the need for immediate action to mitigate potential exploitation.

Affected Version(s)

squid >= 2.2, < 6.5

References

https://github.com/squid-cache/squid/security/advisories/...
x_refsource_CONFIRM
https://github.com/squid-cache/squid/commit/77b3fb4df0f12...
x_refsource_MISC
https://github.com/squid-cache/squid/commit/deee944f9a12c...
x_refsource_MISC

EPSS Score

9% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.