{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-49286", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-24T16:45:24.312Z", "datePublished": "2023-12-04T22:53:44.827Z", "dateUpdated": "2024-08-02T21:53:45.223Z"}, "containers": {"cna": {"title": "Denial of Service in Helper Process management", "problemTypes": [{"descriptions": [{"cweId": "CWE-617", "lang": "en", "description": "CWE-617: Reachable Assertion", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-253", "lang": "en", "description": "CWE-253: Incorrect Check of Function Return Value", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/squid-cache/squid/security/advisories/GHSA-xggx-9329-3c27", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-xggx-9329-3c27"}, {"name": "https://github.com/squid-cache/squid/commit/6014c6648a2a54a4ecb7f952ea1163e0798f9264", "tags": ["x_refsource_MISC"], "url": "https://github.com/squid-cache/squid/commit/6014c6648a2a54a4ecb7f952ea1163e0798f9264"}, {"name": "http://www.squid-cache.org/Versions/v6/SQUID-2023_8.patch", "tags": ["x_refsource_MISC"], "url": "http://www.squid-cache.org/Versions/v6/SQUID-2023_8.patch"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240119-0004/"}], "affected": [{"vendor": "squid-cache", "product": "squid", "versions": [{"version": "< 6.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-12-04T22:53:44.827Z"}, "descriptions": [{"lang": "en", "value": "Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Incorrect Check of Function Return Value bug Squid is vulnerable to a Denial of Service attack against its Helper process management. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-xggx-9329-3c27", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:53:45.223Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/squid-cache/squid/security/advisories/GHSA-xggx-9329-3c27", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-xggx-9329-3c27"}, {"name": "https://github.com/squid-cache/squid/commit/6014c6648a2a54a4ecb7f952ea1163e0798f9264", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/squid-cache/squid/commit/6014c6648a2a54a4ecb7f952ea1163e0798f9264"}, {"name": "http://www.squid-cache.org/Versions/v6/SQUID-2023_8.patch", "tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.squid-cache.org/Versions/v6/SQUID-2023_8.patch"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240119-0004/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*", "matchCriteriaId": "64A6EFAB-804C-4B6B-B609-2F5A797EACB0", "versionEndIncluding": "6.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Incorrect Check of Function Return Value bug Squid is vulnerable to a Denial of Service attack against its Helper process management. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Squid es un proxy de almacenamiento en cach\u00e9 para la Web que admite HTTP, HTTPS, FTP y m\u00e1s. Debido a un error de verificaci\u00f3n incorrecta del valor de retorno de la funci\u00f3n, Squid es vulnerable a un ataque de denegaci\u00f3n de servicio contra su gesti\u00f3n de procesos auxiliares. Este error se solucion\u00f3 con la versi\u00f3n 6.5 de Squid. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2023-49286", "lastModified": "2024-01-19T16:15:09.793", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-12-04T23:15:27.243", "references": [{"source": "security-advisories@github.com", "tags": ["Broken Link"], "url": "http://www.squid-cache.org/Versions/v6/SQUID-2023_8.patch"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/squid-cache/squid/commit/6014c6648a2a54a4ecb7f952ea1163e0798f9264"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-xggx-9329-3c27"}, {"source": "security-advisories@github.com", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/"}, {"source": "security-advisories@github.com", "url": "https://security.netapp.com/advisory/ntap-20240119-0004/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}, {"lang": "en", "value": "CWE-754"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-253"}, {"lang": "en", "value": "CWE-617"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:1787", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "squid-7:3.5.20-17.el7_9.10", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2024-04-11T00:00:00Z"}, {"advisory": "RHSA-2024:0046", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "squid:4-8090020231207155957.a75119d5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-01-03T00:00:00Z"}, {"advisory": "RHSA-2024:0772", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "squid:4-8020020240122164331.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2024:0772", "cpe": "cpe:/a:redhat:rhel_tus:8.2", "package": "squid:4-8020020240122164331.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2024:0772", "cpe": "cpe:/a:redhat:rhel_e4s:8.2", "package": "squid:4-8020020240122164331.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2024:0773", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "squid:4-8040020240122165847.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2024:0773", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "squid:4-8040020240122165847.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2024:0773", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "squid:4-8040020240122165847.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2024:0771", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "squid:4-8060020231222131040.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2024:0397", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "squid:4-8080020231222130009.63b34585", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-01-24T00:00:00Z"}, {"advisory": "RHSA-2024:0071", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "squid-7:5.5-6.el9_3.5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-01-08T00:00:00Z"}, {"advisory": "RHSA-2024:1153", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "squid-7:5.2-1.el9_0.4", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-03-05T00:00:00Z"}, {"advisory": "RHSA-2024:0072", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "squid-7:5.5-5.el9_2.3", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-01-08T00:00:00Z"}], "bugzilla": {"description": "squid: Incorrect Check of Function Return Value In Helper Process management", "id": "2252923", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2252923"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-253->CWE-617", "details": ["Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Incorrect Check of Function Return Value bug Squid is vulnerable to a Denial of Service attack against its Helper process management. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "A flaw was found in Squid due to an incorrect check of the return value in the helper process management. This issue may allow attackers to perform remote denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-49286", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "squid34", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2023-12-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-49286\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-49286"], "statement": "The only security impact of this vulnerability is a remote denial of service. For this reason, this flaw was rated with an important, and not critical, severity.", "threat_severity": "Important", "upstream_fix": "squid 6.5"}