Vulnerability Details : CVE-2023-50269
Squid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. This problem allows a remote client to perform Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives.
Vulnerability category: Denial of service
Products affected by CVE-2023-50269
- cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
- cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
- cpe:2.3:a:squid-cache:squid:2.7:stable4:*:*:*:*:*:*
- cpe:2.3:a:squid-cache:squid:2.7:stable3:*:*:*:*:*:*
- cpe:2.3:a:squid-cache:squid:2.6:*:*:*:*:*:*:*
- cpe:2.3:a:squid-cache:squid:2.7:stable2:*:*:*:*:*:*
- cpe:2.3:a:squid-cache:squid:2.7:stable5:*:*:*:*:*:*
- cpe:2.3:a:squid-cache:squid:2.7:stable6:*:*:*:*:*:*
- cpe:2.3:a:squid-cache:squid:2.7:stable7:*:*:*:*:*:*
- cpe:2.3:a:squid-cache:squid:2.7:stable8:*:*:*:*:*:*
- cpe:2.3:a:squid-cache:squid:2.7:stable9:*:*:*:*:*:*
- cpe:2.3:a:squid-cache:squid:2.7:-:*:*:*:*:*:*
- cpe:2.3:a:squid-cache:squid:2.7:stable1:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-50269
1.35%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 79 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-50269
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
|
8.6
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H |
3.9
|
4.0
|
GitHub, Inc. |
CWE ids for CVE-2023-50269
-
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-50269
-
https://security.netapp.com/advisory/ntap-20240119-0005/
CVE-2023-50269 Squid Vulnerability in NetApp Products | NetApp Product Security
-
http://www.squid-cache.org/Versions/v6/SQUID-2023_10.patch
Broken Link
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEV66D3PAAY6K7TWDT3WZBLCPLASFJDC/
[SECURITY] Fedora 38 Update: squid-6.6-1.fc38 - package-announce - Fedora Mailing-Lists
-
http://www.squid-cache.org/Versions/v5/SQUID-2023_10.patch
Broken Link
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5QASTMCUSUEW3UOMKHZJB3FTONWSRXS/
[SECURITY] Fedora 39 Update: squid-6.6-1.fc39 - package-announce - Fedora Mailing-Lists
-
https://github.com/squid-cache/squid/security/advisories/GHSA-wgq4-4cfg-c4x3
SQUID-2023:10 Denial of Service in HTTP Request parsing · Advisory · squid-cache/squid · GitHubThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html
[SECURITY] [DLA 3709-1] squid security update
Jump to