Login Sign Up

CVE-2023-46846

9.3 CRITICAL

📋 TL;DR

CVE-2023-46846 is an HTTP request smuggling vulnerability in Squid proxy due to lenient chunked decoder handling. It allows attackers to bypass security controls like firewalls and frontend systems by smuggling malicious requests. Organizations using vulnerable Squid versions as reverse proxies or caching servers are affected.

💻 Affected Systems

Products:
  • Squid
Versions: Squid 5.0.4 through 5.7, 6.0.0 through 6.0.1
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Affects Squid configured as HTTP proxy, reverse proxy, or cache server. All default configurations are vulnerable.

📦 What is this software?

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Enterprise Linux Eus by Redhat

View all CVEs affecting Enterprise Linux Eus →

Enterprise Linux Eus by Redhat

View all CVEs affecting Enterprise Linux Eus →

Enterprise Linux Eus by Redhat

View all CVEs affecting Enterprise Linux Eus →

Enterprise Linux Eus by Redhat

View all CVEs affecting Enterprise Linux Eus →

Enterprise Linux For Arm 64 by Redhat

View all CVEs affecting Enterprise Linux For Arm 64 →

Enterprise Linux For Ibm Z Systems by Redhat

View all CVEs affecting Enterprise Linux For Ibm Z Systems →

Enterprise Linux For Power Little Endian by Redhat

View all CVEs affecting Enterprise Linux For Power Little Endian →

Enterprise Linux Server Aus by Redhat

View all CVEs affecting Enterprise Linux Server Aus →

Enterprise Linux Server Aus by Redhat

View all CVEs affecting Enterprise Linux Server Aus →

Enterprise Linux Server Aus by Redhat

View all CVEs affecting Enterprise Linux Server Aus →

Enterprise Linux Server Aus by Redhat

View all CVEs affecting Enterprise Linux Server Aus →

Enterprise Linux Server Tus by Redhat

View all CVEs affecting Enterprise Linux Server Tus →

Enterprise Linux Server Tus by Redhat

View all CVEs affecting Enterprise Linux Server Tus →

Enterprise Linux Server Tus by Redhat

View all CVEs affecting Enterprise Linux Server Tus →

Enterprise Linux Server Tus by Redhat

View all CVEs affecting Enterprise Linux Server Tus →

Enterprise Linux Server Tus by Redhat

View all CVEs affecting Enterprise Linux Server Tus →

Squid by Squid Cache

View all CVEs affecting Squid →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass security controls, inject malicious content, perform cache poisoning, or conduct web application attacks against backend systems that would normally be blocked.

🟠

Likely Case

Request smuggling to bypass security filters, potentially leading to web application attacks, cache poisoning, or unauthorized access to internal resources.

🟢

If Mitigated

Limited impact with proper network segmentation, WAF protection, and monitoring in place to detect smuggling attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires understanding of HTTP request smuggling techniques but tools exist to automate attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Squid 5.7.1, 6.0.2, or later

Vendor Advisory: https://access.redhat.com/errata/RHSA-2023:6266

Restart Required: Yes

Instructions:

1. Check current Squid version. 2. Update to Squid 5.7.1, 6.0.2 or later using package manager. 3. Restart Squid service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable chunked encoding

linux

Configure Squid to reject chunked transfer encoding requests

Add 'request_header_access Transfer-Encoding deny all' to squid.conf

Use strict parsing mode

linux

Enable strict HTTP parsing in Squid configuration

Add 'http_port 3128 require-proxy-header' to squid.conf

🧯 If You Can't Patch

  • Implement network segmentation to isolate Squid instances from critical backend systems
  • Deploy WAF with HTTP request smuggling detection capabilities in front of Squid

🔍 How to Verify

Check if Vulnerable:

Check Squid version with 'squid -v' or 'rpm -q squid' and compare to affected versions (5.0.4-5.7, 6.0.0-6.0.1)

Check Version:

squid -v | grep Version || rpm -q squid || dpkg -l | grep squid

Verify Fix Applied:

Verify version is 5.7.1, 6.0.2 or later and test with HTTP request smuggling tools

📡 Detection & Monitoring

Log Indicators:

  • Multiple requests with same connection ID
  • Malformed chunked encoding headers
  • Unexpected request sequences

Network Indicators:

  • HTTP requests with unusual chunked encoding patterns
  • Requests bypassing expected security controls

SIEM Query:

source="squid" AND ("Transfer-Encoding: chunked" OR "chunked" AND "malformed")

📊 Metadata

CVE ID: CVE-2023-46846
CVSS v3 Score: 9.3 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
CWE: CWE-444
Published: November 3, 2023
Last Updated: December 18, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46846, you might also want to check these:

CVE-2022-22536 10.0

CVE-2022-22536 is a critical HTTP request smuggling vulnerability in multiple SAP components that al...

Same vulnerability type (CWE-444)
CVE-2025-55315 9.9

CVE-2025-55315 is an HTTP request smuggling vulnerability in ASP.NET Core that allows an authenticat...

Same vulnerability type (CWE-444)
CVE-2023-29141 9.8

This vulnerability in MediaWiki allows attackers to trigger automatic IP blocking by manipulating th...

Same vulnerability type (CWE-444)