Lucene search

[email protected]NVD:CVE-2023-46846

HistoryNov 03, 2023 - 8:15 a.m.

CVE-2023-46846

2023-11-0308:15:07

CWE-444

[email protected]

web.nvd.nist.gov

squid

cve-2023-46846

http request

smuggling

vulnerability

chunked decoder

lenience

firewall

frontend security

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

9.1 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

71.5%

JSON

SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems.

Affected configurations

NVD

Node

squid-cachesquidRange2.6–6.4

Node

redhatenterprise_linuxMatch8.0

redhatenterprise_linuxMatch9.0

redhatenterprise_linux_eusMatch8.6

redhatenterprise_linux_eusMatch8.8

redhatenterprise_linux_eusMatch9.0

redhatenterprise_linux_eusMatch9.2

redhatenterprise_linux_for_arm_64Match8.0_aarch64

redhatenterprise_linux_for_ibm_z_systemsMatch8.0_s390x

redhatenterprise_linux_for_power_little_endianMatch8.0_ppc64le

redhatenterprise_linux_server_ausMatch8.2

redhatenterprise_linux_server_ausMatch8.4

redhatenterprise_linux_server_ausMatch8.6

redhatenterprise_linux_server_ausMatch9.2

redhatenterprise_linux_server_tusMatch8.2

redhatenterprise_linux_server_tusMatch8.4

redhatenterprise_linux_server_tusMatch8.6

redhatenterprise_linux_server_tusMatch8.8

redhatenterprise_linux_server_tusMatch9.2

References

access.redhat.com/errata/RHSA-2023:6266

access.redhat.com/errata/RHSA-2023:6267

access.redhat.com/errata/RHSA-2023:6268

access.redhat.com/errata/RHSA-2023:6748

access.redhat.com/errata/RHSA-2023:6801

access.redhat.com/errata/RHSA-2023:6803

access.redhat.com/errata/RHSA-2023:6804

access.redhat.com/errata/RHSA-2023:6810

access.redhat.com/errata/RHSA-2023:7213

access.redhat.com/security/cve/CVE-2023-46846

bugzilla.redhat.com/show_bug.cgi?id=2245910

github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh

lists.debian.org/debian-lts-announce/2024/01/msg00003.html

lists.debian.org/debian-lts-announce/2024/01/msg00008.html

security.netapp.com/advisory/ntap-20231130-0002/

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

9.1 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

71.5%

JSON

Related for NVD:CVE-2023-46846

veracode1 debiancve1 amazon2 openvas8 alpinelinux1 cve1 nessus28 cvelist1 prion1 ubuntucve1 redhatcve1 debian3 osv11 redhat9 almalinux4 oraclelinux4 rocky3 mageia1 f51 redos1 photon3 ubuntu1