CVE-2019-12523 — Improper Input Validation in Squid

CWE-20 — Improper Input Validation13 documents8 sources

Severity

9.1CRITICALNVD

OSV7.5

EPSS

0.6%

top 31.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Squid Squid-cache Squid Canonical Ubuntu Linux +3 more

Timeline

PublishedNov 26

Latest updateMay 24

Description

An issue was discovered in Squid before 4.9. When handling a URN request, a corresponding HTTP request is made. This HTTP request doesn't go through the access checks that incoming HTTP requests go through. This causes all access checks to be bypassed and allows access to restricted HTTP servers, e.g., an attacker can connect to HTTP servers that only listen on localhost.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

▶Debiansquid/squid< 4.9-1+3

▶NVDsquid-cache/squid3.0 — 3.5.28+1

▶NVDopensuse/leap15.0

Also affects: Debian Linux 10.0, 9.0, Fedora 30, 31, Ubuntu Linux 16.04, 18.04, 19.04, 19.10

🔴Vulnerability Details

GHSA

GHSA-99vq-f459-jqrg: An issue was discovered in Squid before 4↗2022-05-24

▶

OSV

squid3 regression↗2020-08-27

▶

OSV

squid3 vulnerabilities↗2020-08-03

▶

OSV

squid, squid3 vulnerabilities↗2019-12-04

▶

OSV

CVE-2019-12523: An issue was discovered in Squid before 4↗2019-11-26

▶

📋Vendor Advisories

Ubuntu

Squid vulnerabilities↗2020-08-03

▶

Ubuntu

Squid vulnerabilities↗2019-12-04

▶

Red Hat

squid: Improper input validation in URI processor↗2019-11-05

▶

Debian

CVE-2019-12523: squid - An issue was discovered in Squid before 4.9. When handling a URN request, a corr...↗2019

▶

💬Community

Bugzilla

CVE-2019-12523 squid: Improper input validation in URI processor↗2019-11-08

▶

Bugzilla

CVE-2019-12523 squid: Improper input validation in URI processor [fedora-all]↗2019-11-08

▶