HTTP Request Smuggling Affecting libecap package, versions <0:1.0.1-2.module+el8.9.0+1437+df5ea8f0
Threat Intelligence
EPSS
1.52% (88th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-ROCKY8-LIBECAP-6055849
- published 12 Nov 2023
- disclosed 3 Nov 2023
Introduced: 3 Nov 2023
CVE-2023-46846 Open this link in a new tabHow to fix?
Upgrade Rocky-Linux:8 libecap to version 0:1.0.1-2.module+el8.9.0+1437+df5ea8f0 or higher.
This issue was patched in RLSA-2023:7213.
NVD Description
Note: Versions mentioned in the description apply only to the upstream libecap package and not the libecap package as distributed by Rocky-Linux.
See How to fix? for Rocky-Linux:8 relevant fixed versions and status.
SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46846
- https://access.redhat.com/errata/RHSA-2023:6266
- https://access.redhat.com/errata/RHSA-2023:6267
- https://access.redhat.com/errata/RHSA-2023:6268
- https://access.redhat.com/errata/RHSA-2023:6748
- https://access.redhat.com/errata/RHSA-2023:6801
- https://access.redhat.com/errata/RHSA-2023:6803
- https://access.redhat.com/errata/RHSA-2023:6804
- https://access.redhat.com/errata/RHSA-2023:6810
- https://access.redhat.com/security/cve/CVE-2023-46846
- https://bugzilla.redhat.com/show_bug.cgi?id=2245910
- https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh
- https://access.redhat.com/errata/RHSA-2023:7213
- https://security.netapp.com/advisory/ntap-20231130-0002/
- https://lists.debian.org/debian-lts-announce/2024/01/msg00003.html
- https://lists.debian.org/debian-lts-announce/2024/01/msg00008.html
CVSS Scores
version 3.1