Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!Close

CVE-2023-5824

Published: 3 November 2023

Squid is vulnerable to Denial of Service attack against HTTP and HTTPS clients due to an Improper Handling of Structural Elements bug.

Notes

AuthorNote
mdeslaur
as of 2023-12-05, this is not fixed in the upstream 5.x
repository. The patches to fix this issue are large and
intrusive.
Per the researcher's advisory, "Of course, such 'attacks' are
completely theoretical and are only considered for entertainment
purposes."
This CVE will be marked as deferred until a backport to 5.x is
available.

Priority

Medium

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package Release Status
squid
Launchpad, Ubuntu, Debian
trusty Ignored
(end of standard support)
xenial Ignored
(end of standard support)
bionic Ignored
(end of standard support)
focal Deferred
(2023-12-05)
jammy Deferred
(2023-12-05)
lunar Deferred
(2023-12-05)
mantic Deferred
(2023-12-05)
upstream
Released (6.5)
Patches:
upstream: https://github.com/squid-cache/squid/commit/a27bf4b84da23594150c7a86a23435df0b35b988 (6.x)
upstream: https://github.com/squid-cache/squid/commit/57acdb7dcec38605ede048db82b495ba316e6311 (6.x)
upstream: https://github.com/squid-cache/squid/commit/2f3efe5d9e1c9444cb3f95fc09cbbf52985f37bf (6.x)
squid3
Launchpad, Ubuntu, Debian
trusty Ignored
(end of standard support)
focal Does not exist

jammy Does not exist

lunar Does not exist

mantic Does not exist

upstream Needs triage

bionic Deferred
(2023-12-05)
xenial Deferred
(2023-12-05)

Severity score breakdown

Parameter Value
Base score 7.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H