Cyber Resilience

CVE-2023-46846

Critical

Published: 03 November 2023

Published
03 November 2023
Modified
18 December 2024
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0958 93.0th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-46846 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Redhat Enterprise Linux Server Tus. Its CVSS base score is 9.3 (Critical).

Operationally, ranked in the top 7.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Squid is vulnerable to HTTP request smuggling due to excessive lenience in its chunked transfer encoding decoder. The flaw, tracked as CVE-2023-46846 and assigned CWE-444, affects the Squid caching proxy and carries a CVSS 3.1 score of 9.3 reflecting network attackability without authentication or user interaction and a scope change that can impact confidentiality and integrity beyond the proxy itself.

A remote attacker can craft ambiguous HTTP/1.1 requests that exploit the decoder behavior to smuggle additional requests or responses. This allows the attacker to bypass intervening firewalls, load balancers, or other frontend security controls and reach origin servers or internal resources that would otherwise be protected.

Red Hat has published multiple errata (RHSA-2023:6266, RHSA-2023:6267, RHSA-2023:6268, RHSA-2023:6748, and RHSA-2023:6801) that address the issue through updated Squid packages. The EPSS score has remained flat at 0.0982 with no material increase since disclosure.

EU & UK References

Vulnerability details

SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

squid-cache
squid
2.6 — 6.4
redhat
enterprise linux
8.0, 9.0
redhat
enterprise linux eus
8.6, 8.8, 9.0, 9.2
redhat
enterprise linux for arm 64
8.0_aarch64
redhat
enterprise linux for ibm z systems
8.0_s390x
redhat
enterprise linux for power little endian
8.0_ppc64le
redhat
enterprise linux server aus
8.2, 8.4, 8.6, 9.2
redhat
enterprise linux server tus
8.2, 8.4, 8.6, 8.8, 9.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References