Bug 2245919 (CVE-2023-46848) - CVE-2023-46848 squid: denial of Service in FTP
Summary: CVE-2023-46848 squid: denial of Service in FTP
Keywords:
Status: NEW
Alias: CVE-2023-46848
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2245920
Blocks: 2245907
TreeView+ depends on / blocked
 
Reported: 2023-10-24 14:55 UTC by Robb Gatica
Modified: 2023-12-13 07:30 UTC (History)
2 users (show)

Fixed In Version: squid 6.4
Doc Type: If docs needed, set a value
Doc Text:
Squid is vulnerable to Denial of Service, where a remote attacker can perform DoS by sending ftp:// URLs in HTTP Request messages or constructing ftp:// URLs from FTP Native input.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:6266 0 None None None 2023-11-02 09:35:44 UTC
Red Hat Product Errata RHSA-2023:6268 0 None None None 2023-11-02 09:44:08 UTC
Red Hat Product Errata RHSA-2023:6748 0 None None None 2023-11-07 10:27:23 UTC

Description Robb Gatica 2023-10-24 14:55:18 UTC
Description:
a) Due to an Incorrect Conversion between Numeric Types
bug Squid is vulnerable to a Denial of Service
attack against FTP Native Relay input validation.

b) Due to an Incorrect Conversion between Numeric Types
bug Squid is vulnerable to a Denial of Service
attack against ftp:// URL validation and access control.

Reference: https://github.com/squid-cache/squid/security/advisories/GHSA-2g3c-pg7q-g59w

Affected versions: 5.0.3-5.9, 6.0-6.3

Comment 1 Robb Gatica 2023-10-24 14:55:31 UTC
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 2245920]

Comment 4 errata-xmlrpc 2023-11-02 09:35:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6266 https://access.redhat.com/errata/RHSA-2023:6266

Comment 5 errata-xmlrpc 2023-11-02 09:44:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:6268 https://access.redhat.com/errata/RHSA-2023:6268

Comment 6 errata-xmlrpc 2023-11-07 10:27:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6748 https://access.redhat.com/errata/RHSA-2023:6748

Comment 7 Vipul Nair 2023-12-10 11:08:36 UTC
Heya rob, could you drop an NVD email as to why the CVSS scope is marked as Changed?


Note You need to log in before you can comment on or make changes to this bug.