CVE-2023-46728

2023-11-0600:00:00

ubuntu.com

squid

caching proxy

vulnerability

dos attack

null pointer dereference

gopher gateway

upgrade

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.8 Medium

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.8%

JSON

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more.
Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of
Service attack against Squid’s Gopher gateway. The gopher protocol is
always available and enabled in Squid prior to Squid 6.0.1. Responses
triggering this bug are possible to be received from any gopher server,
even those without malicious intent. Gopher support has been removed in
Squid version 6.0.1. Users are advised to upgrade. Users unable to upgrade
should reject all gopher URL requests.

Notes

Author	Note
rodrigo-zaiden	the fix is removing support for Gopher protocol.

OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchsquid< 4.10-1ubuntu1.8UNKNOWN
ubuntu22.04noarchsquid< 5.7-0ubuntu0.22.04.2UNKNOWN
ubuntu23.04noarchsquid< 5.7-1ubuntu3.1UNKNOWN
ubuntu18.04noarchsquid3< 3.5.27-1ubuntu1.14+esm1UNKNOWN
ubuntu16.04noarchsquid3< 3.5.12-1ubuntu7.16+esm2UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	20.04	noarch	squid	< 4.10-1ubuntu1.8	UNKNOWN
ubuntu	22.04	noarch	squid	< 5.7-0ubuntu0.22.04.2	UNKNOWN
ubuntu	23.04	noarch	squid	< 5.7-1ubuntu3.1	UNKNOWN
ubuntu	18.04	noarch	squid3	< 3.5.27-1ubuntu1.14+esm1	UNKNOWN
ubuntu	16.04	noarch	squid3	< 3.5.12-1ubuntu7.16+esm2	UNKNOWN