CVE-2023-49285

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-49285
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-49285.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-49285
Aliases
  • GHSA-8w9r-p88v-mmx9
Downstream
Related
Published
2023-12-04T22:56:55Z
Modified
2025-10-21T13:33:23.258753Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H CVSS Calculator
Summary
Denial of Service in HTTP Message Processing in Squid
Details

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Git / github.com/squid-cache/squid

Affected ranges

Type
GIT
Repo
https://github.com/squid-cache/squid
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
77b3fb4df0f126784d5fd4967c28ed40eb8d521b
Fixed
deee944f9a12c9fd399ce52f3e2526bb573a9470

Affected versions

4.*

4.15-20210522-snapshot
4.15-20210523-snapshot
4.15-20210524-snapshot
4.15-20210525-snapshot
4.15-20210527-snapshot

5.*

5.0.6-20210522-snapshot
5.0.6-20210523-snapshot
5.0.6-20210524-snapshot
5.0.6-20210525-snapshot
5.0.6-20210527-snapshot

6.*

6.0.0-20210522-master-snapshot
6.0.0-20210523-master-snapshot
6.0.0-20210524-master-snapshot
6.0.0-20210525-master-snapshot
6.0.0-20210527-master-snapshot

Other

BASIC_TPROXY4
HISTORIC_RELEASES
M-staged-PR161
M-staged-PR164
M-staged-PR170
M-staged-PR176
M-staged-PR179
M-staged-PR181
M-staged-PR182
M-staged-PR186
M-staged-PR189
M-staged-PR193
M-staged-PR195
M-staged-PR196
M-staged-PR198
M-staged-PR199
M-staged-PR200
M-staged-PR202
M-staged-PR206
M-staged-PR208
M-staged-PR209
M-staged-PR210
M-staged-PR218
M-staged-PR220
M-staged-PR221
M-staged-PR225
M-staged-PR227
M-staged-PR229
M-staged-PR230
M-staged-PR235
M-staged-PR237
M-staged-PR238
M-staged-PR239
M-staged-PR241
M-staged-PR242
M-staged-PR252
M-staged-PR255
M-staged-PR258
M-staged-PR264
M-staged-PR266
M-staged-PR267
M-staged-PR268
M-staged-PR274
M-staged-PR276
M-staged-PR293
M-staged-PR294
M-staged-PR295
M-staged-PR299
M-staged-PR306
M-staged-PR314
M-staged-PR319
M-staged-PR342
M-staged-PR345
M-staged-PR348
M-staged-PR351
M-staged-PR359
M-staged-PR364
M-staged-PR365
M-staged-PR366
M-staged-PR370
M-staged-PR372
M-staged-PR373
M-staged-PR375
M-staged-PR376
SQUID_3_0_PRE1
SQUID_3_0_PRE2
SQUID_3_0_PRE3
SQUID_3_0_PRE4
SQUID_3_0_PRE5
SQUID_3_0_PRE6
SQUID_3_0_PRE7
SQUID_3_0_RC1
SQUID_3_5_27
SQUID_4_0_1
SQUID_4_0_10
SQUID_4_0_11
SQUID_4_0_12
SQUID_4_0_13
SQUID_4_0_14
SQUID_4_0_15
SQUID_4_0_16
SQUID_4_0_2
SQUID_4_0_3
SQUID_4_0_4
SQUID_4_0_5
SQUID_4_0_6
SQUID_4_0_7
SQUID_4_0_8
SQUID_4_0_9
SQUID_5_0_1
SQUID_5_0_2
SQUID_5_0_3
SQUID_5_0_4
SQUID_5_0_5
SQUID_5_0_6
SQUID_5_0_7
SQUID_5_1
SQUID_5_2
SQUID_5_3
SQUID_5_4_1
SQUID_5_5
SQUID_5_6
SQUID_5_7
SQUID_5_8
SQUID_5_9
SQUID_6_0_1
SQUID_6_0_2
SQUID_6_0_3
SQUID_6_1
SQUID_6_2
SQUID_6_3
SQUID_6_4
for-libecap-v0p1
merge-candidate-3-v1
merge-candidate-3-v2
sourceformat-review-1
take00
take01
take02
take03
take04
take06
take07
take08
take09
take1
take2

BumpSslServerFirst.*

BumpSslServerFirst.take01
BumpSslServerFirst.take02
BumpSslServerFirst.take03
BumpSslServerFirst.take04
BumpSslServerFirst.take05
BumpSslServerFirst.take06
BumpSslServerFirst.take07
BumpSslServerFirst.take08
BumpSslServerFirst.take09
BumpSslServerFirst.take10

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/squid-cache/squid/commit/deee944f9a12c9fd399ce52f3e2526bb573a9470",
        "target": {
            "function": "make_month",
            "file": "src/time/rfc1123.cc"
        },
        "digest": {
            "function_hash": "164979830842734690722875744928057871569",
            "length": 314.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "id": "CVE-2023-49285-0321cf26",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b",
        "target": {
            "file": "lib/rfc1123.c"
        },
        "digest": {
            "line_hashes": [
                "254665393534594738508084282088153151738",
                "293766430760506514691035815790752071906",
                "52130077338185614748797763944600405352",
                "233931196911573896403460085548435094738",
                "145985704875151314138039684014417983553"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "id": "CVE-2023-49285-47e2fa4b",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/squid-cache/squid/commit/77b3fb4df0f126784d5fd4967c28ed40eb8d521b",
        "target": {
            "function": "make_month",
            "file": "lib/rfc1123.c"
        },
        "digest": {
            "function_hash": "164979830842734690722875744928057871569",
            "length": 314.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "id": "CVE-2023-49285-9f7ff880",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/squid-cache/squid/commit/deee944f9a12c9fd399ce52f3e2526bb573a9470",
        "target": {
            "file": "src/time/rfc1123.cc"
        },
        "digest": {
            "line_hashes": [
                "254665393534594738508084282088153151738",
                "293766430760506514691035815790752071906",
                "52130077338185614748797763944600405352",
                "233931196911573896403460085548435094738",
                "145985704875151314138039684014417983553"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "id": "CVE-2023-49285-a2c08ad6",
        "signature_version": "v1"
    }
]