SQUID-2023:10 Denial of Service in HTTP Request parsing
CVE-2023-50269

8.6HIGH

Key Information:

Vendor

Squid-cache

Status
Squid
Vendor
CVE Published:
14 December 2023

What is CVE-2023-50269?

The Squid caching proxy is susceptible to a Denial of Service attack stemming from an uncontrolled recursion bug. This vulnerability, present in several versions of Squid, allows an attacker to disrupt HTTP request parsing by sending large X-Forwarded-For headers when the follow_x_forwarded_for feature is enabled. To mitigate this issue, users should upgrade to Squid version 6.6 or apply the relevant patches from Squid's archive for affected stable releases.

Affected Version(s)

squid >= 2.6, <= 2.7.STABLE9 <= 2.6, 2.7.STABLE9

squid >= 3.1, <= 5.9 <= 3.1, 5.9

squid >= 6.0.1, < 6.6 < 6.0.1, 6.6

References

https://github.com/squid-cache/squid/security/advisories/...
x_refsource_CONFIRM
http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch
x_refsource_MISC
http://www.squid-cache.org/Versions/v6/SQUID-2023_10.patch
x_refsource_MISC

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.