Published: 11/07/2019 Updated: 07/11/2023

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

An issue exists in Squid 2.x up to and including 2.7.STABLE9, 3.x up to and including 3.5.28, and 4.x up to and including 4.7. When Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode. uudecode determines how many bytes will be decoded by iterating over the input and checking its table. The length is then used to start decoding the string. There are no checks to ensure that the length it calculates isn't greater than the input buffer. This leads to adjacent memory being decoded as well. An attacker would not be able to retrieve the decoded data unless the Squid maintainer had configured the display of usernames on error pages.

Vulnerable Product	Search on Vulmon	Subscribe to Product
squid-cache squid 2.7
squid-cache squid
debian debian linux 8.0
debian debian linux 9.0
debian debian linux 10.0
fedoraproject fedora 29
opensuse leap 15.0
opensuse leap 15.1
canonical ubuntu linux 18.04
canonical ubuntu linux 19.04
canonical ubuntu linux 16.04
canonical ubuntu linux 12.04

Synopsis Moderate: squid:4 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for the squid:4 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability ...

Several security issues were fixed in Squid ...

Several vulnerabilities were discovered in Squid, a fully featured web proxy cache The flaws in the HTTP Digest Authentication processing, the HTTP Basic Authentication processing and in the cachemgrcgi allowed remote attackers to perform denial of service and cross-site scripting attacks, and potentially the execution of arbitrary code For the ...

Due to a buffer overflow bug Squid is vulnerable to a Denial of Service attack against HTTP Digest Authentication An issue was discovered in Squid through 47 When handling requests from users, Squid checks its rules to see if the request should be denied Squid by default comes with rules to block access to the Cache Manager, which serves detaile ...

Impact: Moderate Public Date: 2019-07-11 CWE: CWE-119 Bugzilla: 1730528: CVE-2019-12529 squid: informat ...

CWE-125 http://www.squid-cache.org/Versions/v4/changesets/https://github.com/squid-cache/squid/commits/v4 http://www.squid-cache.org/Versions/v4/changesets/squid-4-dd46b5417809647f561d8a5e0e74c3aacd235258.patch https://usn.ubuntu.com/4065-1/https://lists.debian.org/debian-lts-announce/2019/07/msg00018.html https://usn.ubuntu.com/4065-2/https://www.debian.org/security/2019/dsa-4507 https://seclists.org/bugtraq/2019/Aug/42 http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/https://access.redhat.com/errata/RHSA-2020:4743 https://nvd.nist.gov https://usn.ubuntu.com/4065-1/

CVE-2019-12529

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect