CVE-2019-12520 — Improper Input Validation in Squid

CWE-20 — Improper Input Validation10 documents8 sources

Severity

7.5HIGHNVD

EPSS

6.2%

top 9.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Squid Squid-cache Squid Canonical Ubuntu Linux +1 more

Timeline

PublishedApr 15

Latest updateMay 24

Description

An issue was discovered in Squid through 4.7 and 5. When receiving a request, Squid checks its cache to see if it can serve up a response. It does this by making a MD5 hash of the absolute URL of the request. If found, it servers the request. The absolute URL can include the decoded UserInfo (username and password) for certain protocols. This decoded info is prepended to the domain. This allows an attacker to provide a username that has special characters to delimit the domain, and treat the res…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDsquid-cache/squid4.7

▶Debiansquid/squid< 4.8-1+3

Also affects: Debian Linux 10.0, 9.0, Ubuntu Linux 16.04, 18.04

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-gx26-q49r-m7g8: An issue was discovered in Squid through 4↗2022-05-24

▶

OSV

squid3 regression↗2020-08-27

▶

OSV

squid3 vulnerabilities↗2020-08-03

▶

OSV

CVE-2019-12520: An issue was discovered in Squid through 4↗2020-04-15

▶

CVEList

CVE-2019-12520: An issue was discovered in Squid through 4↗2020-04-15

▶

📋Vendor Advisories

Ubuntu

Squid vulnerabilities↗2020-08-03

▶

Red Hat

squid: Improper input validation in request allows for proxy manipulation↗2020-04-24

▶

Debian

CVE-2019-12520: squid - An issue was discovered in Squid through 4.7 and 5. When receiving a request, Sq...↗2019

▶

💬Community

Bugzilla

CVE-2019-12520 squid: Improper input validation in request allows for proxy manipulation↗2020-04-24

▶