CVE-2023-46846
Published: 03 November 2023
Summary
CVE-2023-46846 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Redhat Enterprise Linux Server Tus. Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 7.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Squid is vulnerable to HTTP request smuggling due to excessive lenience in its chunked transfer encoding decoder. The flaw, tracked as CVE-2023-46846 and assigned CWE-444, affects the Squid caching proxy and carries a CVSS 3.1 score of 9.3 reflecting network attackability without authentication or user interaction and a scope change that can impact confidentiality and integrity beyond the proxy itself.
A remote attacker can craft ambiguous HTTP/1.1 requests that exploit the decoder behavior to smuggle additional requests or responses. This allows the attacker to bypass intervening firewalls, load balancers, or other frontend security controls and reach origin servers or internal resources that would otherwise be protected.
Red Hat has published multiple errata (RHSA-2023:6266, RHSA-2023:6267, RHSA-2023:6268, RHSA-2023:6748, and RHSA-2023:6801) that address the issue through updated Squid packages. The EPSS score has remained flat at 0.0982 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-51012
Vulnerability details
SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.