// For flags

CVE-2023-50269

SQUID-2023:10 Denial of Service in HTTP Request parsing

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Squid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. This problem allows a remote client to perform Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives.

Squid es un proxy de almacenamiento en caché para la Web. Debido a un error de recursión no controlada en las versiones 2.6 a 2.7.STABLE9, versiones 3.1 a 5.9 y versiones 6.0.1 a 6.5, Squid puede ser vulnerable a un ataque de denegación de servicio contra el análisis de solicitudes HTTP. Este problema permite que un cliente remoto realice un ataque de denegación de servicio enviando un encabezado X-Forwarded-For grande cuando la función follow_x_forwarded_for está configurada. Este error se solucionó con la versión 6.6 de Squid. Además, los parches que solucionan este problema para las versiones estables se pueden encontrar en los archivos de parches de Squid.

A flaw was found in Squid, which is susceptible to a Denial of Service (DoS) due to an Uncontrolled Recursion bug, specifically targeting HTTP Request parsing. Exploiting this issue involves a remote client initiating a DoS attack by sending an oversized X-Forwarded-For header when the follow_x_forwarded_for feature is configured. This issue poses a threat to the stability and availability of the Squid service.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-12-05 CVE Reserved
  • 2023-12-14 CVE Published
  • 2024-08-02 CVE Updated
  • 2024-11-13 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-674: Uncontrolled Recursion
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Squid-cache
Search vendor "Squid-cache"
Squid
Search vendor "Squid-cache" for product "Squid"
>= 3.1 <= 5.9
Search vendor "Squid-cache" for product "Squid" and version " >= 3.1 <= 5.9"
-
Affected
Squid-cache
Search vendor "Squid-cache"
Squid
Search vendor "Squid-cache" for product "Squid"
>= 6.0.1 <= 6.5
Search vendor "Squid-cache" for product "Squid" and version " >= 6.0.1 <= 6.5"
-
Affected
Squid-cache
Search vendor "Squid-cache"
Squid
Search vendor "Squid-cache" for product "Squid"
2.6
Search vendor "Squid-cache" for product "Squid" and version "2.6"
-
Affected
Squid-cache
Search vendor "Squid-cache"
Squid
Search vendor "Squid-cache" for product "Squid"
2.7
Search vendor "Squid-cache" for product "Squid" and version "2.7"
-
Affected
Squid-cache
Search vendor "Squid-cache"
Squid
Search vendor "Squid-cache" for product "Squid"
2.7
Search vendor "Squid-cache" for product "Squid" and version "2.7"
stable1
Affected
Squid-cache
Search vendor "Squid-cache"
Squid
Search vendor "Squid-cache" for product "Squid"
2.7
Search vendor "Squid-cache" for product "Squid" and version "2.7"
stable2
Affected
Squid-cache
Search vendor "Squid-cache"
Squid
Search vendor "Squid-cache" for product "Squid"
2.7
Search vendor "Squid-cache" for product "Squid" and version "2.7"
stable3
Affected
Squid-cache
Search vendor "Squid-cache"
Squid
Search vendor "Squid-cache" for product "Squid"
2.7
Search vendor "Squid-cache" for product "Squid" and version "2.7"
stable4
Affected
Squid-cache
Search vendor "Squid-cache"
Squid
Search vendor "Squid-cache" for product "Squid"
2.7
Search vendor "Squid-cache" for product "Squid" and version "2.7"
stable5
Affected
Squid-cache
Search vendor "Squid-cache"
Squid
Search vendor "Squid-cache" for product "Squid"
2.7
Search vendor "Squid-cache" for product "Squid" and version "2.7"
stable6
Affected
Squid-cache
Search vendor "Squid-cache"
Squid
Search vendor "Squid-cache" for product "Squid"
2.7
Search vendor "Squid-cache" for product "Squid" and version "2.7"
stable7
Affected
Squid-cache
Search vendor "Squid-cache"
Squid
Search vendor "Squid-cache" for product "Squid"
2.7
Search vendor "Squid-cache" for product "Squid" and version "2.7"
stable8
Affected
Squid-cache
Search vendor "Squid-cache"
Squid
Search vendor "Squid-cache" for product "Squid"
2.7
Search vendor "Squid-cache" for product "Squid" and version "2.7"
stable9
Affected