CVE-2023-46846: 
Squid vulnerability analysis and mitigation

CVE-2023-46846 is a critical vulnerability in SQUID, discovered in October 2023, affecting versions 2.6 through 6.3. The vulnerability is related to HTTP request smuggling, caused by chunked decoder lenience, which allows remote attackers to perform Request/Response smuggling past firewall and frontend security systems (Squid Advisory).

The vulnerability stems from a chunked decoder lenience issue in SQUID's HTTP request parsing mechanism. The attack is limited to HTTP/1.1 and ICAP protocols that support receiving Transfer-Encoding:chunked. The vulnerability has received a CVSS v3.1 base score of 9.3 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability allows attackers to perform Request/Response smuggling attacks when the upstream server interprets the chunked encoding syntax differently from Squid. This can lead to bypassing firewall and frontend security systems, potentially resulting in unauthorized access to sensitive information and data modification (Squid Advisory).

The vulnerability has been patched in Squid version 6.4. For earlier versions, patches are available in the patch archives for Squid 5 and 6 series. Red Hat has released multiple security updates addressing this vulnerability across different versions of their Enterprise Linux distributions (Red Hat Advisory, Debian Advisory).