CVE-2023-46847

2023-11-0300:00:00

ubuntu.com

squid

vulnerability

http digest authentication

buffer overflow

denial of service

remote attacker

heap memory

ubuntu

bug

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

6.9 Medium

AI Score

Confidence

Low

0.03 Low

EPSS

Percentile

91.0%

JSON

Squid is vulnerable to a Denial of Service, where a remote attacker can
perform buffer overflow attack by writing up to 2 MB of arbitrary data to
heap memory when Squid is configured to accept HTTP Digest Authentication.

Bugs

<https://bugs.launchpad.net/ubuntu/+source/squid/+bug/2041837>

OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchsquid< 4.10-1ubuntu1.8UNKNOWN
ubuntu22.04noarchsquid< 5.7-0ubuntu0.22.04.2UNKNOWN
ubuntu23.04noarchsquid< 5.7-1ubuntu3.1UNKNOWN
ubuntu23.10noarchsquid< 6.1-2ubuntu1.1UNKNOWN
ubuntu18.04noarchsquid3< 3.5.27-1ubuntu1.14+esm1UNKNOWN
ubuntu16.04noarchsquid3< 3.5.12-1ubuntu7.16+esm2UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	20.04	noarch	squid	< 4.10-1ubuntu1.8	UNKNOWN
ubuntu	22.04	noarch	squid	< 5.7-0ubuntu0.22.04.2	UNKNOWN
ubuntu	23.04	noarch	squid	< 5.7-1ubuntu3.1	UNKNOWN
ubuntu	23.10	noarch	squid	< 6.1-2ubuntu1.1	UNKNOWN
ubuntu	18.04	noarch	squid3	< 3.5.27-1ubuntu1.14+esm1	UNKNOWN
ubuntu	16.04	noarch	squid3	< 3.5.12-1ubuntu7.16+esm2	UNKNOWN