CVE Tools

CVE-2024-23638

SQUID-2023:11 Denial of Service in Cache Manager

Published: Jan 23, 2024Updated: Nov 21, 2024 Sources: CVE List NVD BDUCWE-825

No Known Exploits

Patch Available

Description

Squid is a caching proxy for the Web. Due to an expired pointer reference bug, Squid prior to version 6.6 is vulnerable to a Denial of Service attack against Cache Manager error responses. This problem allows a trusted client to perform Denial of Service when generating error pages for Client Manager reports. Squid older than 5.0.5 have not been tested and should be assumed to be vulnerable. All Squid-5.x up to and including 5.9 are vulnerable. All Squid-6.x up to and including 6.5 are vulnerable. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. As a workaround, prevent access to Cache Manager using Squid's main access control: `http_access deny manager`.

CVSS Vector Breakdown

Exploitability

AV:NAttack Vector

Network

AC:LAttack Complexity

Low

PR:LPrivileges Required

Low

UI:NUser Interaction

None

Scope

S:UScope

Unchanged

Impact

C:NConfidentiality

None

I:NIntegrity

None

A:HAvailability

High

Open in CVSS calculator →

Weaknesses

CWE-825 CWE-672

Affected Products

РЕД ОС ООО «Ред Софт»

On-premOS

Operating Systems / linux-distro

Astra Linux Special Edition ООО «РусБИТех-Астра»

On-premOS

Operating Systems / linux-distro

РОСА ХРОМ АО «НТЦ ИТ РОСА»

On-prem

Operating Systems / linux-distro

АЛЬТ СП 10 АО «ИВК»

On-premOS

Operating Systems / linux-distro

Squid Squid Software Foundation

On-premNetwork Device

Networking Infrastructure / load-balancer-proxy

ооо «ред софт»commercialRUOperating Systemsaka red soft

ооо «русбитех-астра»commercialRUOperating Systemsaka rusbitech-astra

ао «нтц ит роса»commercialRUOperating Systems

ао «ивк»commercialRUOperating Systemsaka ivk

squid software foundationoss-projectNetworking Infrastructure

and 1 more affected products View all →

Exploitability

Official Patch Available

References

http://www.squid-cache.org/Versions/v5/SQUID-2023_11.patch

squid-cache.org

http://www.squid-cache.org/Versions/v6/SQUID-2023_11.patch

squid-cache.org

https://github.com/squid-cache/squid/commit/290ae202883ac28a48867079c2fb34c40efd382b

and 16 more references View all →

Timeline

Published

Jan 23, 2024

Last Updated

Nov 21, 2024

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2024-23638 and every CVE in our database. Create a free account — no credit card required.

Create Free Account

Plain-language analysis

Impact assessment and exploitation scenario in plain English

Attack graph visualization

Interactive attack path and kill chain mapping

Exploit details & PoC links

ExploitDB, Metasploit, GitHub PoCs with direct links

Nuclei scanner templates

Ready-to-use vulnerability scanner templates

Full remediation guide

Patch instructions, workarounds, and compliance impact

Interactive AI chat

Ask questions about this vulnerability in natural language

Related vulnerabilities

Semantically similar CVEs and attack patterns

REST API & MCP access

Integrate vulnerability data into your workflows