CVE-2024-23638

Squid is a caching proxy for the Web. Due to an expired pointer reference bug, Squid prior to version 6.6 is vulnerable to a Denial of Service attack against Cache Manager error responses. This problem allows a trusted client to perform Denial of Service when generating error pages for Client Manager reports. Squid older than 5.0.5 have not been tested and should be assumed to be vulnerable. All Squid-5.x up to and including 5.9 are vulnerable. All Squid-6.x up to and including 6.5 are vulnerable. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. As a workaround, prevent access to Cache Manager using Squid's main access control: `http_access deny manager`.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 93%
VendorProductVersion
squid-cachesquid
5.0 ≤
𝑥
≤ 5.9
squid-cachesquid
6.0 ≤
𝑥
< 6.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
squid
bullseye
4.13-10+deb11u3
fixed
bullseye (security)
4.13-10+deb11u4
fixed
bookworm
5.7-2+deb12u2
fixed
bookworm (security)
5.7-2+deb12u2
fixed
sid
6.13-1
fixed
trixie
6.13-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
squid
plucky
Fixed 6.6-1ubuntu1
released
oracular
Fixed 6.6-1ubuntu1
released
noble
Fixed 6.6-1ubuntu1
released
mantic
Fixed 6.1-2ubuntu1.3
released
lunar
ignored
jammy
Fixed 5.7-0ubuntu0.22.04.4
released
focal
Fixed 4.10-1ubuntu1.10
released
bionic
dne
xenial
dne
trusty
dne
squid3
plucky
dne
oracular
dne
noble
dne
mantic
dne
lunar
dne
jammy
dne
focal
dne
bionic
needs-triage
xenial
needs-triage
trusty
ignored
Common Weakness Enumeration
References
http://www.squid-cache.org/Versions/v5/SQUID-2023_11.patch
http://www.squid-cache.org/Versions/v6/SQUID-2023_11.patch
https://github.com/squid-cache/squid/commit/290ae202883ac28a48867079c2fb34c40efd382b
https://github.com/squid-cache/squid/commit/e8118a7381213f5cfcdeb4cec1d2d854bfd261c8
https://github.com/squid-cache/squid/security/advisories/GHSA-j49p-553x-48rx
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7R4KPSO3MQT3KAOZV7LC2GG3CYMCGK7H/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWQHRDRHDM5PQTU6BHH4C5KGL37X6TVI/
https://megamansec.github.io/Squid-Security-Audit/stream-assert.html
https://security.netapp.com/advisory/ntap-20240208-0010/
http://www.squid-cache.org/Versions/v5/SQUID-2023_11.patch
http://www.squid-cache.org/Versions/v6/SQUID-2023_11.patch
https://github.com/squid-cache/squid/commit/290ae202883ac28a48867079c2fb34c40efd382b
https://github.com/squid-cache/squid/commit/e8118a7381213f5cfcdeb4cec1d2d854bfd261c8
https://github.com/squid-cache/squid/security/advisories/GHSA-j49p-553x-48rx
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7R4KPSO3MQT3KAOZV7LC2GG3CYMCGK7H/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWQHRDRHDM5PQTU6BHH4C5KGL37X6TVI/
https://megamansec.github.io/Squid-Security-Audit/stream-assert.html
https://security.netapp.com/advisory/ntap-20240208-0010/