CVE-2023-46848: 
Squid vulnerability analysis and mitigation

CVE-2023-46848 affects Squid, a high-performance proxy caching server, in versions 5.0.3 through 5.9 and 6.0 through 6.3. The vulnerability was discovered by Joshua Rogers of Opera Software and was disclosed in October 2023. The issue affects Squid's handling of FTP URLs in HTTP Request messages and FTP Native input validation (Squid Advisory).

The vulnerability stems from an Incorrect Conversion between Numeric Types (CWE-681) that affects two specific components: FTP Native Relay input validation and ftp:// URL validation and access control. The vulnerability has received a CVSS v3.1 base score of 7.5 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, though Red Hat has assessed it at 8.6 (High) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H (NVD, Squid Advisory).

The vulnerability allows remote attackers to perform a Denial of Service (DoS) attack by sending ftp:// URLs in HTTP Request messages or constructing ftp:// URLs from FTP Native input. The impact is particularly significant as this issue is triggered during access control security checks, meaning clients may not have been permitted to use the proxy yet. Additionally, FTP support is always enabled and cannot be disabled completely (Squid Advisory).

The vulnerability has been fixed in Squid version 6.4. For earlier versions, patches are available for the stable releases in the Squid patch archives. The FTP Native Relay input validation vector can be partially mitigated by removing all ftp_port directives from squid.conf. However, there are no workarounds to avoid the ftp:// URL validation and access control vector (Squid Advisory).