{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-49285", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-24T16:45:24.312Z", "datePublished": "2023-12-04T22:56:55.105Z", "dateUpdated": "2024-08-02T21:53:45.105Z"}, "containers": {"cna": {"title": "Denial of Service in HTTP Message Processing in Squid", "problemTypes": [{"descriptions": [{"cweId": "CWE-126", "lang": "en", "description": "CWE-126: Buffer Over-read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/squid-cache/squid/security/advisories/GHSA-8w9r-p88v-mmx9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-8w9r-p88v-mmx9"}, {"name": "https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b", "tags": ["x_refsource_MISC"], "url": "https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b"}, {"name": "https://github.com/squid-cache/squid/commit/deee944f9a12c9fd399ce52f3e2526bb573a9470", "tags": ["x_refsource_MISC"], "url": "https://github.com/squid-cache/squid/commit/deee944f9a12c9fd399ce52f3e2526bb573a9470"}, {"name": "http://www.squid-cache.org/Versions/v5/SQUID-2023_7.patch", "tags": ["x_refsource_MISC"], "url": "http://www.squid-cache.org/Versions/v5/SQUID-2023_7.patch"}, {"name": "http://www.squid-cache.org/Versions/v6/SQUID-2023_7.patch", "tags": ["x_refsource_MISC"], "url": "http://www.squid-cache.org/Versions/v6/SQUID-2023_7.patch"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240119-0004/"}], "affected": [{"vendor": "squid-cache", "product": "squid", "versions": [{"version": ">= 2.2, < 6.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-12-04T22:56:55.105Z"}, "descriptions": [{"lang": "en", "value": "Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-8w9r-p88v-mmx9", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:53:45.105Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/squid-cache/squid/security/advisories/GHSA-8w9r-p88v-mmx9", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-8w9r-p88v-mmx9"}, {"name": "https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b"}, {"name": "https://github.com/squid-cache/squid/commit/deee944f9a12c9fd399ce52f3e2526bb573a9470", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/squid-cache/squid/commit/deee944f9a12c9fd399ce52f3e2526bb573a9470"}, {"name": "http://www.squid-cache.org/Versions/v5/SQUID-2023_7.patch", "tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.squid-cache.org/Versions/v5/SQUID-2023_7.patch"}, {"name": "http://www.squid-cache.org/Versions/v6/SQUID-2023_7.patch", "tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.squid-cache.org/Versions/v6/SQUID-2023_7.patch"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240119-0004/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*", "matchCriteriaId": "64A6EFAB-804C-4B6B-B609-2F5A797EACB0", "versionEndIncluding": "6.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Squid es un proxy de almacenamiento en cach\u00e9 para la Web que admite HTTP, HTTPS, FTP y m\u00e1s. Debido a un error de sobrelectura del b\u00fafer, Squid es vulnerable a un ataque de denegaci\u00f3n de servicio contra el procesamiento de mensajes HTTP de Squid. Este error se solucion\u00f3 con la versi\u00f3n 6.5 de Squid. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2023-49285", "lastModified": "2024-01-19T16:15:09.653", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-12-04T23:15:27.007", "references": [{"source": "security-advisories@github.com", "tags": ["Broken Link"], "url": "http://www.squid-cache.org/Versions/v5/SQUID-2023_7.patch"}, {"source": "security-advisories@github.com", "tags": ["Broken Link"], "url": "http://www.squid-cache.org/Versions/v6/SQUID-2023_7.patch"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/squid-cache/squid/commit/deee944f9a12c9fd399ce52f3e2526bb573a9470"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-8w9r-p88v-mmx9"}, {"source": "security-advisories@github.com", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/"}, {"source": "security-advisories@github.com", "url": "https://security.netapp.com/advisory/ntap-20240119-0004/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-126"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:1787", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "squid-7:3.5.20-17.el7_9.10", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2024-04-11T00:00:00Z"}, {"advisory": "RHSA-2024:0046", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "squid:4-8090020231207155957.a75119d5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-01-03T00:00:00Z"}, {"advisory": "RHSA-2024:0772", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "squid:4-8020020240122164331.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2024:0772", "cpe": "cpe:/a:redhat:rhel_tus:8.2", "package": "squid:4-8020020240122164331.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2024:0772", "cpe": "cpe:/a:redhat:rhel_e4s:8.2", "package": "squid:4-8020020240122164331.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2024:0773", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "squid:4-8040020240122165847.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2024:0773", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "squid:4-8040020240122165847.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2024:0773", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "squid:4-8040020240122165847.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2024:0771", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "squid:4-8060020231222131040.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2024:0397", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "squid:4-8080020231222130009.63b34585", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-01-24T00:00:00Z"}, {"advisory": "RHSA-2024:0071", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "squid-7:5.5-6.el9_3.5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-01-08T00:00:00Z"}, {"advisory": "RHSA-2024:1153", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "squid-7:5.2-1.el9_0.4", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-03-05T00:00:00Z"}, {"advisory": "RHSA-2024:0072", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "squid-7:5.5-5.el9_2.3", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-01-08T00:00:00Z"}], "bugzilla": {"description": "squid: Buffer over-read in the HTTP Message processing feature", "id": "2252926", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2252926"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-126", "details": ["Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "A buffer over-read flaw was found in Squid's HTTP Message processing feature. This issue may allow attackers to perform remote denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-49285", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "squid34", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2023-12-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-49285\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-49285"], "statement": "The only security impact of this vulnerability is a remote denial of service. For this reason, this flaw was rated with an important, and not critical, severity.", "threat_severity": "Important", "upstream_fix": "squid 6.5"}