CVE-2023-49288

CVE-2023-49288

Name

CVE-2023-49288

Description

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Affected versions of squid are subject to a a Use-After-Free bug which can lead to a Denial of Service attack via collapsed forwarding. All versions of Squid from 3.5 up to and including 5.9 configured with "collapsed_forwarding on" are vulnerable. Configurations with "collapsed_forwarding off" or without a "collapsed_forwarding" directive are not vulnerable. This bug is fixed by Squid version 6.0.1. Users are advised to upgrade. Users unable to upgrade should remove all collapsed_forwarding lines from their squid.conf.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
security-advisories@github.com	https://github.com/squid-cache/squid/security/advisories/GHSA-rj5h-46j6-q2g5
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/
security-advisories@github.com	https://security.netapp.com/advisory/ntap-20240119-0006/

Type

URI

security-advisories@github.com

https://github.com/squid-cache/squid/security/advisories/GHSA-rj5h-46j6-q2g5

security-advisories@github.com

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/

security-advisories@github.com

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/

security-advisories@github.com

https://security.netapp.com/advisory/ntap-20240119-0006/

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:squid-cache:squid::::::::`	squid	>= 3.5	<= 5.9

CPE URI

Source package

Min version

Max version

cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*

squid

>= 3.5

<= 5.9

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
squid	edge-main	6.1-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
squid	edge-main	5.7-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
squid	edge-main	5.2-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
squid	edge-main	5.0.6-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
squid	edge-main	5.0.5-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
squid	edge-main	4.13.0-r0	None	possibly vulnerable
squid	edge-main	4.12.0-r0	None	possibly vulnerable
squid	edge-main	4.10-r0	None	possibly vulnerable
squid	edge-main	4.9-r0	None	possibly vulnerable
squid	edge-main	4.8-r0	None	possibly vulnerable
squid	edge-main	3.5.27-r2	None	possibly vulnerable
squid	3.22-main	6.1-r0	None	fixed
squid	3.22-main	5.7-r0	None	possibly vulnerable
squid	3.22-main	5.2-r0	None	possibly vulnerable
squid	3.22-main	5.0.6-r0	None	possibly vulnerable
squid	3.22-main	5.0.5-r0	None	possibly vulnerable
squid	3.22-main	4.13.0-r0	None	possibly vulnerable
squid	3.22-main	4.12.0-r0	None	possibly vulnerable
squid	3.22-main	4.10-r0	None	possibly vulnerable
squid	3.22-main	4.9-r0	None	possibly vulnerable
squid	3.22-main	4.8-r0	None	possibly vulnerable
squid	3.22-main	3.5.27-r2	None	possibly vulnerable
squid	3.21-main	6.1-r0	None	fixed
squid	3.21-main	5.7-r0	None	possibly vulnerable
squid	3.21-main	5.2-r0	None	possibly vulnerable
squid	3.21-main	5.0.6-r0	None	possibly vulnerable
squid	3.21-main	5.0.5-r0	None	possibly vulnerable
squid	3.21-main	4.13.0-r0	None	possibly vulnerable
squid	3.21-main	4.12.0-r0	None	possibly vulnerable
squid	3.21-main	4.10-r0	None	possibly vulnerable
squid	3.21-main	4.9-r0	None	possibly vulnerable
squid	3.21-main	4.8-r0	None	possibly vulnerable
squid	3.21-main	3.5.27-r2	None	possibly vulnerable
squid	3.20-main	6.1-r0	None	fixed
squid	3.20-main	5.7-r0	None	possibly vulnerable
squid	3.20-main	5.2-r0	None	possibly vulnerable
squid	3.20-main	5.0.6-r0	None	possibly vulnerable
squid	3.20-main	5.0.5-r0	None	possibly vulnerable
squid	3.20-main	4.13.0-r0	None	possibly vulnerable
squid	3.20-main	4.12.0-r0	None	possibly vulnerable
squid	3.20-main	4.10-r0	None	possibly vulnerable
squid	3.20-main	4.9-r0	None	possibly vulnerable
squid	3.20-main	4.8-r0	None	possibly vulnerable
squid	3.20-main	3.5.27-r2	None	possibly vulnerable
squid	3.19-main	6.1-r0	None	fixed
squid	3.19-main	5.7-r0	None	possibly vulnerable
squid	3.19-main	5.2-r0	None	possibly vulnerable
squid	3.19-main	5.0.6-r0	None	possibly vulnerable
squid	3.19-main	5.0.5-r0	None	possibly vulnerable
squid	3.19-main	4.13.0-r0	None	possibly vulnerable
squid	3.19-main	4.12.0-r0	None	possibly vulnerable
squid	3.19-main	4.10-r0	None	possibly vulnerable
squid	3.19-main	4.9-r0	None	possibly vulnerable
squid	3.19-main	4.8-r0	None	possibly vulnerable
squid	3.19-main	3.5.27-r2	None	possibly vulnerable
squid	3.18-main	5.9-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
squid	3.17-main	5.7-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages