Ubuntu.comUB:CVE-2023-5824CVE-2023-5824
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.6 High
AI Score
Confidence
High
0.005 Low
EPSS
Percentile
76.6%
Squid is vulnerable to Denial of Service attack against HTTP and HTTPS
clients due to an Improper Handling of Structural Elements bug.
Bugs
- <https://bugs.launchpad.net/ubuntu/+source/squid/+bug/2041837>
- <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054537>
- <https://bugs.launchpad.net/ubuntu/+source/squid/+bug/2060880 (regression)>
Notes
| Author | Note |
|---|---|
| mdeslaur | as of 2024-01-26, this is not fixed in the upstream 5.x repository. The patches to fix this issue are large and intrusive. Per the researcher’s advisory, “Of course, such ‘attacks’ are completely theoretical and are only considered for entertainment purposes.” Ubuntu 20.04 LTS was patched in USN-6728-1, but the fix introduced crashes and was backed out in USN-6728-2. It was ultimately fixed in USN-6728-3. |
References
github.com/squid-cache/squid/security/advisories/GHSA-543m-w2m2-g255
launchpad.net/bugs/cve/CVE-2023-5824
lists.squid-cache.org/pipermail/squid-announce/2023-October/000155.html
megamansec.github.io/Squid-Security-Audit/cache-headers.html
nvd.nist.gov/vuln/detail/CVE-2023-5824
security-tracker.debian.org/tracker/CVE-2023-5824
ubuntu.com/security/notices/USN-6728-1
ubuntu.com/security/notices/USN-6728-2
ubuntu.com/security/notices/USN-6728-3
www.cve.org/CVERecord?id=CVE-2023-5824
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.6 High
AI Score
Confidence
High
0.005 Low
EPSS
Percentile
76.6%