CVE-2023-46724
Summary
| CVE | CVE-2023-46724 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2023-11-01 20:15:00 UTC |
|---|
| Updated | 2023-11-09 15:07:00 UTC |
|---|
| Description | Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages. |
|---|
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|
| Application |
Squid-cache |
Squid |
All |
All |
All |
All |
References
| Reference | Source | Link | Tags |
|---|
| www.squid-cache.org/Versions/v5/SQUID-2023_4.patch |
MISC |
www.squid-cache.org |
|
| SQUID-2023:4 Denial of Service in SSL Certificate validation · Advisory · squid-cache/squid · GitHub |
MISC |
github.com |
|
| www.squid-cache.org/Versions/v6/SQUID-2023_4.patch |
MISC |
www.squid-cache.org |
|
| Fix validation of certificates with CN=* (#1523) · squid-cache/squid@b70f864 · GitHub |
MISC |
github.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 161268 Oracle Enterprise Linux Security Update for squid:4 (ELSA-2024-0046)
- 161269 Oracle Enterprise Linux Security Update for squid (ELSA-2024-0071)
- 161480 Oracle Enterprise Linux Security Update for squid (ELSA-2024-1787)
- 199932 Ubuntu Security Notification for Squid Vulnerabilities (USN-6500-1)
- 242863 Red Hat Update for squid:4 (RHSA-2024:0397)
- 242910 Red Hat Update for squid (RHSA-2024:0072)
- 242913 Red Hat Update for squid:4 (RHSA-2024:0773)
- 242914 Red Hat Update for squid:4 (RHSA-2024:0771)
- 242915 Red Hat Update for squid:4 (RHSA-2024:0772)
- 243018 Red Hat Update for squid (RHSA-2024:1153)
- 243194 Red Hat Update for squid (RHSA-2024:1787)
- 284838 Fedora Security Update for squid (FEDORA-2023-6317eaa767)
- 285079 Fedora Security Update for squid (FEDORA-2023-ab77331a34)
- 356745 Amazon Linux Security Advisory for squid : ALAS-2023-1886
- 356755 Amazon Linux Security Advisory for squid : ALAS2-2023-2354
- 356900 Amazon Linux Security Advisory for squid : ALAS2023-2023-429
- 356995 Amazon Linux Security Advisory for squid : AL2012-2023-479
- 379621 Alibaba Cloud Linux Security Update for squid:4 (ALINUX3-SA-2024:0020)
- 505941 Alpine Linux Security Update for squid
- 6000513 Debian Security Update for squid (DSA 5637-1)
- 673768 EulerOS Security Update for squid (EulerOS-SA-2024-1301)
- 755236 SUSE Enterprise Linux Security Update for squid (SUSE-SU-2023:4381-1)
- 755237 SUSE Enterprise Linux Security Update for squid (SUSE-SU-2023:4380-1)
- 755241 SUSE Enterprise Linux Security Update for squid (SUSE-SU-2023:4384-1)
