CVE-2023-5824
Published: 3 November 2023
Squid is vulnerable to Denial of Service attack against HTTP and HTTPS clients due to an Improper Handling of Structural Elements bug.
Notes
Author | Note |
---|---|
mdeslaur | as of 2023-12-05, this is not fixed in the upstream 5.x repository. The patches to fix this issue are large and intrusive. Per the researcher's advisory, "Of course, such 'attacks' are completely theoretical and are only considered for entertainment purposes." This CVE will be marked as deferred until a backport to 5.x is available. |
Priority
Status
Package | Release | Status |
---|---|---|
squid Launchpad, Ubuntu, Debian |
trusty |
Ignored
(end of standard support)
|
xenial |
Ignored
(end of standard support)
|
|
bionic |
Ignored
(end of standard support)
|
|
focal |
Deferred
(2023-12-05)
|
|
jammy |
Deferred
(2023-12-05)
|
|
lunar |
Deferred
(2023-12-05)
|
|
mantic |
Deferred
(2023-12-05)
|
|
upstream |
Released
(6.5)
|
|
Patches: upstream: https://github.com/squid-cache/squid/commit/a27bf4b84da23594150c7a86a23435df0b35b988 (6.x) upstream: https://github.com/squid-cache/squid/commit/57acdb7dcec38605ede048db82b495ba316e6311 (6.x) upstream: https://github.com/squid-cache/squid/commit/2f3efe5d9e1c9444cb3f95fc09cbbf52985f37bf (6.x) |
||
squid3 Launchpad, Ubuntu, Debian |
trusty |
Ignored
(end of standard support)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
upstream |
Needs triage
|
|
bionic |
Deferred
(2023-12-05)
|
|
xenial |
Deferred
(2023-12-05)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5824
- https://github.com/squid-cache/squid/security/advisories/GHSA-543m-w2m2-g255
- https://lists.squid-cache.org/pipermail/squid-announce/2023-October/000155.html
- https://megamansec.github.io/Squid-Security-Audit/cache-headers.html
- NVD
- Launchpad
- Debian