{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-46846", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-10-27T08:36:38.158Z", "datePublished": "2023-11-03T07:33:16.184Z", "dateUpdated": "2025-01-27T07:40:08.286Z"}, "containers": {"cna": {"title": "Squid: request/response smuggling in http/1.1 and icap", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems."}], "affected": [{"versions": [{"status": "affected", "version": "2.6", "lessThan": "6.4", "versionType": "semver"}], "packageName": "squid", "collectionURL": "https://github.com/squid-cache/squid", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "squid", "defaultStatus": "affected", "versions": [{"version": "7:3.5.20-17.el7_9.13", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:rhel_els:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "squid:4", "defaultStatus": "affected", "versions": [{"version": "8080020231030214932.63b34585", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "squid:4", "defaultStatus": "affected", "versions": [{"version": "8090020231030224841.a75119d5", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "squid:4", "defaultStatus": "affected", "versions": [{"version": "8010020231101141358.c27ad7f8", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_e4s:8.1::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "squid:4", "defaultStatus": "affected", "versions": [{"version": "8020020231101135052.4cda2c84", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_tus:8.2::appstream", "cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/a:redhat:rhel_e4s:8.2::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "squid:4", "defaultStatus": "affected", "versions": [{"version": "8020020231101135052.4cda2c84", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_tus:8.2::appstream", "cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/a:redhat:rhel_e4s:8.2::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "squid:4", "defaultStatus": "affected", "versions": [{"version": "8020020231101135052.4cda2c84", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_tus:8.2::appstream", "cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/a:redhat:rhel_e4s:8.2::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "squid:4", "defaultStatus": "affected", "versions": [{"version": "8040020231101101624.522a0ee4", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_tus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream", "cpe:/a:redhat:rhel_aus:8.4::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "squid:4", "defaultStatus": "affected", "versions": [{"version": "8040020231101101624.522a0ee4", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_tus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream", "cpe:/a:redhat:rhel_aus:8.4::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "squid:4", "defaultStatus": "affected", "versions": [{"version": "8040020231101101624.522a0ee4", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_tus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream", "cpe:/a:redhat:rhel_aus:8.4::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.6 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "squid:4", "defaultStatus": "affected", "versions": [{"version": "8060020231031165747.ad008a3a", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_eus:8.6::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "squid", "defaultStatus": "affected", "versions": [{"version": "7:5.5-5.el9_2.1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:9::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "squid", "defaultStatus": "affected", "versions": [{"version": "7:5.5-6.el9_3.1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:9::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.0 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "squid", "defaultStatus": "affected", "versions": [{"version": "7:5.2-1.el9_0.3", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_eus:9.0::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "squid", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:6"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "squid34", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:6"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:6266", "name": "RHSA-2023:6266", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6267", "name": "RHSA-2023:6267", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6268", "name": "RHSA-2023:6268", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6748", "name": "RHSA-2023:6748", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6801", "name": "RHSA-2023:6801", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6803", "name": "RHSA-2023:6803", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6804", "name": "RHSA-2023:6804", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6810", "name": "RHSA-2023:6810", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7213", "name": "RHSA-2023:7213", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:11049", "name": "RHSA-2024:11049", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-46846", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245910", "name": "RHBZ#2245910", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh"}], "datePublic": "2023-10-19T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-444", "description": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "timeline": [{"lang": "en", "time": "2023-10-24T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-10-19T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-01-27T07:40:08.286Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:53:21.849Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:6266", "name": "RHSA-2023:6266", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6267", "name": "RHSA-2023:6267", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6268", "name": "RHSA-2023:6268", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6748", "name": "RHSA-2023:6748", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6801", "name": "RHSA-2023:6801", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6803", "name": "RHSA-2023:6803", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6804", "name": "RHSA-2023:6804", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6810", "name": "RHSA-2023:6810", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7213", "name": "RHSA-2023:7213", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-46846", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245910", "name": "RHBZ#2245910", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00008.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231130-0002/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2023-12-19T21:18:15.819621Z", "id": "CVE-2023-46846", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-03T14:31:21.611Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:6266", "name": "RHSA-2023:6266", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6267", "name": "RHSA-2023:6267", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6268", "name": "RHSA-2023:6268", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6748", "name": "RHSA-2023:6748", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6801", "name": "RHSA-2023:6801", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6803", "name": "RHSA-2023:6803", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6804", "name": "RHSA-2023:6804", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6810", "name": "RHSA-2023:6810", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7213", "name": "RHSA-2023:7213", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-46846", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245910", "name": "RHBZ#2245910", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00008.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231130-0002/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:53:21.849Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-46846", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2023-12-19T21:18:15.819621Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-03T14:31:03.969Z"}}], "cna": {"title": "Squid: request/response smuggling in http/1.1 and icap", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"versions": [{"status": "affected", "version": "2.6", "lessThan": "6.4", "versionType": "semver"}], "packageName": "squid", "collectionURL": "https://github.com/squid-cache/squid", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:rhel_els:7"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "versions": [{"status": "unaffected", "version": "7:3.5.20-17.el7_9.13", "lessThan": "*", "versionType": "rpm"}], "packageName": "squid", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "versions": [{"status": "unaffected", "version": "8080020231030214932.63b34585", "lessThan": "*", "versionType": "rpm"}], "packageName": "squid:4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "versions": [{"status": "unaffected", "version": "8090020231030224841.a75119d5", "lessThan": "*", "versionType": "rpm"}], "packageName": "squid:4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_e4s:8.1::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "versions": [{"status": "unaffected", "version": "8010020231101141358.c27ad7f8", "lessThan": "*", "versionType": "rpm"}], "packageName": "squid:4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_tus:8.2::appstream", "cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/a:redhat:rhel_e4s:8.2::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "versions": [{"status": "unaffected", "version": "8020020231101135052.4cda2c84", "lessThan": "*", "versionType": "rpm"}], "packageName": "squid:4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_tus:8.2::appstream", "cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/a:redhat:rhel_e4s:8.2::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "versions": [{"status": "unaffected", "version": "8020020231101135052.4cda2c84", "lessThan": "*", "versionType": "rpm"}], "packageName": "squid:4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_tus:8.2::appstream", "cpe:/a:redhat:rhel_aus:8.2::appstream", "cpe:/a:redhat:rhel_e4s:8.2::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "versions": [{"status": "unaffected", "version": "8020020231101135052.4cda2c84", "lessThan": "*", "versionType": "rpm"}], "packageName": "squid:4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_tus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream", "cpe:/a:redhat:rhel_aus:8.4::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "versions": [{"status": "unaffected", "version": "8040020231101101624.522a0ee4", "lessThan": "*", "versionType": "rpm"}], "packageName": "squid:4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_tus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream", "cpe:/a:redhat:rhel_aus:8.4::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "versions": [{"status": "unaffected", "version": "8040020231101101624.522a0ee4", "lessThan": "*", "versionType": "rpm"}], "packageName": "squid:4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_tus:8.4::appstream", "cpe:/a:redhat:rhel_e4s:8.4::appstream", "cpe:/a:redhat:rhel_aus:8.4::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "versions": [{"status": "unaffected", "version": "8040020231101101624.522a0ee4", "lessThan": "*", "versionType": "rpm"}], "packageName": "squid:4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_eus:8.6::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.6 Extended Update Support", "versions": [{"status": "unaffected", "version": "8060020231031165747.ad008a3a", "lessThan": "*", "versionType": "rpm"}], "packageName": "squid:4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:9::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "7:5.5-5.el9_2.1", "lessThan": "*", "versionType": "rpm"}], "packageName": "squid", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:9::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "7:5.5-6.el9_3.1", "lessThan": "*", "versionType": "rpm"}], "packageName": "squid", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_eus:9.0::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.0 Extended Update Support", "versions": [{"status": "unaffected", "version": "7:5.2-1.el9_0.3", "lessThan": "*", "versionType": "rpm"}], "packageName": "squid", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:6"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "packageName": "squid", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:6"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "packageName": "squid34", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2023-10-24T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-10-19T00:00:00+00:00", "value": "Made public."}], "datePublic": "2023-10-19T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:6266", "name": "RHSA-2023:6266", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6267", "name": "RHSA-2023:6267", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6268", "name": "RHSA-2023:6268", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6748", "name": "RHSA-2023:6748", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6801", "name": "RHSA-2023:6801", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6803", "name": "RHSA-2023:6803", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6804", "name": "RHSA-2023:6804", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6810", "name": "RHSA-2023:6810", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7213", "name": "RHSA-2023:7213", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:11049", "name": "RHSA-2024:11049", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-46846", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245910", "name": "RHBZ#2245910", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh"}], "descriptions": [{"lang": "en", "value": "SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-444", "description": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-01-27T07:40:08.286Z"}, "x_redhatCweChain": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}}, "cveMetadata": {"cveId": "CVE-2023-46846", "state": "PUBLISHED", "dateUpdated": "2025-01-27T07:40:08.286Z", "dateReserved": "2023-10-27T08:36:38.158Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2023-11-03T07:33:16.184Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*", "matchCriteriaId": "D68B5D22-7802-4AA1-9835-97208C2DF9BD", "versionEndExcluding": "6.4", "versionStartIncluding": "2.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "6C3741B8-851F-475D-B428-523F4F722350", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.8:*:*:*:*:*:*:*", "matchCriteriaId": "62C31522-0A17-4025-B269-855C7F4B45C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "4DDA3E5A-8754-4C48-9A27-E2415F8A6000", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:9.2:*:*:*:*:*:*:*", "matchCriteriaId": "3C74F6FA-FA6C-4648-9079-91446E45EE47", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_arm_64:8.0_aarch64:*:*:*:*:*:*:*", "matchCriteriaId": "5A47EF78-A5B6-4B89-8B74-EEB0647C549F", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0_s390x:*:*:*:*:*:*:*", "matchCriteriaId": "32AF225E-94C0-4D07-900C-DD868C05F554", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0_ppc64le:*:*:*:*:*:*:*", "matchCriteriaId": "23D471AC-7DCA-4425-AD91-E5D928753A8C", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*", "matchCriteriaId": "6897676D-53F9-45B3-B27F-7FF9A4C58D33", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*", "matchCriteriaId": "E28F226A-CBC7-4A32-BE58-398FA5B42481", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "76C24D94-834A-4E9D-8F73-624AFA99AAA2", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:9.2:*:*:*:*:*:*:*", "matchCriteriaId": "F32CA554-F9D7-425B-8F1C-89678507F28C", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*", "matchCriteriaId": "B09ACF2D-D83F-4A86-8185-9569605D8EE1", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*", "matchCriteriaId": "AC10D919-57FD-4725-B8D2-39ECB476902F", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "1272DF03-7674-4BD4-8E64-94004B195448", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.8:*:*:*:*:*:*:*", "matchCriteriaId": "F1CA946D-1665-4874-9D41-C7D963DD1F56", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:9.2:*:*:*:*:*:*:*", "matchCriteriaId": "647A34CD-AB8C-44DD-8FD7-03315633FF1B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems."}, {"lang": "es", "value": "SQUID es vulnerable al contrabando de solicitudes HTTP, causado por la indulgencia de los decodificadores fragmentados, lo que permite a un atacante remoto realizar el contrabando de solicitudes/respuestas a trav\u00e9s del firewall y los sistemas de seguridad frontales."}], "id": "CVE-2023-46846", "lastModified": "2024-12-18T01:15:06.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-03T08:15:07.953", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6266"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6267"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6268"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6748"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6801"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6803"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6804"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6810"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:7213"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:11049"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-46846"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245910"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6266"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6267"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6268"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6748"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6801"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6803"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6804"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6810"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:7213"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-46846"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245910"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00008.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20231130-0002/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-444"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:11049", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "squid-7:3.5.20-17.el7_9.13", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2024-12-16T00:00:00Z"}, {"advisory": "RHSA-2023:6267", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "squid:4-8080020231030214932.63b34585", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-11-02T00:00:00Z"}, {"advisory": "RHSA-2023:7213", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "squid:4-8090020231030224841.a75119d5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-11-14T00:00:00Z"}, {"advisory": "RHSA-2023:6810", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "squid:4-8010020231101141358.c27ad7f8", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2023-11-08T00:00:00Z"}, {"advisory": "RHSA-2023:6803", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "squid:4-8020020231101135052.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2023-11-08T00:00:00Z"}, {"advisory": "RHSA-2023:6803", "cpe": "cpe:/a:redhat:rhel_tus:8.2", "package": "squid:4-8020020231101135052.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2023-11-08T00:00:00Z"}, {"advisory": "RHSA-2023:6803", "cpe": "cpe:/a:redhat:rhel_e4s:8.2", "package": "squid:4-8020020231101135052.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2023-11-08T00:00:00Z"}, {"advisory": "RHSA-2023:6804", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "squid:4-8040020231101101624.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2023-11-08T00:00:00Z"}, {"advisory": "RHSA-2023:6804", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "squid:4-8040020231101101624.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2023-11-08T00:00:00Z"}, {"advisory": "RHSA-2023:6804", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "squid:4-8040020231101101624.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2023-11-08T00:00:00Z"}, {"advisory": "RHSA-2023:6801", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "squid:4-8060020231031165747.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2023-11-08T00:00:00Z"}, {"advisory": "RHSA-2023:6266", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "squid-7:5.5-5.el9_2.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-02T00:00:00Z"}, {"advisory": "RHSA-2023:6748", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "squid-7:5.5-6.el9_3.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}, {"advisory": "RHSA-2023:6268", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "squid-7:5.2-1.el9_0.3", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2023-11-02T00:00:00Z"}], "bugzilla": {"description": "squid: Request/Response smuggling in HTTP/1.1 and ICAP", "id": "2245910", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245910"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "status": "verified"}, "cwe": "CWE-444", "details": ["SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems.", "SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems."], "name": "CVE-2023-46846", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "squid34", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2023-10-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-46846\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-46846\nhttps://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh"], "statement": "This attack is limited to the HTTP/1.1 and ICAP protocols which support receiving Transfer-Encoding:chunked.", "threat_severity": "Important", "upstream_fix": "squid 6.4"}