What is CVE-2023-46846?

CVE-2023-46846 is a critical-severity vulnerability in Squid-cache Squid, classified under Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling). CVSS score: 9.3/10. Published 2023-11-03.

How severe is CVE-2023-46846?

Critical severity. CVSS v3 base score is 9.3 out of 10.

Vulnerability in Squid-cache Squid

CVE-2023-46846

SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems.

Vulnerability class: HTTP Request Smuggling

EPSS: 0.053 (91.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.3 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N.

Affected products

Squid-cache Squid
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7 Extended Lifecycle Support — versions 7:3.5.20-17.el7_9.13
Red Hat Enterprise Linux 8 — versions 8080020231030214932.63b34585, 8090020231030224841.a75119d5
Red Hat Enterprise Linux 8.1 Update Services For Sap Solutions — versions 8010020231101141358.c27ad7f8
Red Hat Enterprise Linux 8.2 Advanced Update Support — versions 8020020231101135052.4cda2c84
Red Hat Enterprise Linux 8.2 Telecommunications Update Service — versions 8020020231101135052.4cda2c84
Red Hat Enterprise Linux 8.2 Update Services For Sap Solutions — versions 8020020231101135052.4cda2c84
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support — versions 8040020231101101624.522a0ee4
Red Hat Enterprise Linux 8.4 Telecommunications Update Service — versions 8040020231101101624.522a0ee4

Weakness classification (CWE)

CWE-444 — Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling)

References

secalert@redhat.com (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory)

Frequently asked questions

What is CVE-2023-46846?: CVE-2023-46846 is a critical-severity vulnerability in Squid-cache Squid, classified under Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling). CVSS score: 9.3/10. Published 2023-11-03.
How severe is CVE-2023-46846?: Critical severity. CVSS v3 base score is 9.3 out of 10.