Cyber Resilience

CVE-2023-49285

High

Published: 04 December 2023

Published
04 December 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0962 93.1th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-49285 is a high-severity Buffer Over-read (CWE-126) vulnerability in Squid-Cache Squid. Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 6.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Squid, a widely used caching proxy supporting HTTP, HTTPS, FTP and related protocols, contains a buffer overread vulnerability in its HTTP message processing code. The flaw, tracked as CVE-2023-49285 and assigned CWE-126 and CWE-125, allows an attacker to trigger a denial of service by supplying specially crafted input that causes Squid to read beyond allocated buffer boundaries. The issue affects multiple maintained release lines prior to the 6.5 release and carries a CVSS 3.1 base score of 8.6 reflecting network attack vector, low complexity, and high availability impact with no required privileges or user interaction.

An unauthenticated remote attacker can send malicious HTTP messages directly to an exposed Squid instance, causing the proxy to crash or become unresponsive. Because the vulnerability resides in core message parsing, the attack can be mounted against any deployment that accepts untrusted client or server traffic, including forward and reverse proxy configurations.

Official advisories and patches published by the Squid project state that the bug is resolved in version 6.5 and provide back-ported fixes for the 5.x series via the referenced SQUID-2023_7 patches and corresponding Git commits. No workarounds are documented, and administrators are advised to upgrade immediately. The associated EPSS score has remained low and stable near 0.096, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing. This bug is fixed by Squid…

more

version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

squid-cache
squid
≤ 6.4

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References