cbcvebase.
CVE-2019-12525
published 2019-07-11

CVE-2019-12525: An issue was discovered in Squid 3.3.9 through 3.5.28 and 4.x through 4.7. When Squid is configured to use Digest authentication, it parses the header…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
24.40%
97.6th percentile
An issue was discovered in Squid 3.3.9 through 3.5.28 and 4.x through 4.7. When Squid is configured to use Digest authentication, it parses the header Proxy-Authorization. It searches for certain tokens such as domain, uri, and qop. Squid checks if this token's value starts with a quote and ends with one. If so, it performs a memcpy of its length minus 2. Squid never checks whether the value is just a single quote (which would satisfy its requirements), leading to a memcpy of its length minus 1.

Affected

17 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiandebian_linux
debiansquid< squid 4.8-1 (bookworm)squid 4.8-1 (bookworm)
fedoraprojectfedora
opensuseleap
opensuseleap
squid-cachesquid3.3.9 – 3.5.28
squid-cachesquid4.0 – 4.7
squidsquid>= 0 < 4.8-14.8-1
squidsquid>= 0 < 4.8-14.8-1
squidsquid>= 0 < 4.8-14.8-1
squidsquid>= 0 < 4.8-14.8-1

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger condition: Squid receives a Proxy-Authorization header with a Digest auth token (e.g., domain, uri, or qop) whose value is a single quote character — this causes memcpy of length minus 1, corrupting memory.
  • Monitor HTTP/HTTPS proxy traffic for malformed Proxy-Authorization headers using Digest authentication scheme, especially tokens with a single-quote value.
  • Affected versions: Squid 3.3.9 through 3.5.28 and 4.x through 4.7. Fixed in Squid 4.8+. Alert on these version strings in proxy banners or package inventory.
  • ·Vulnerability is only exploitable when Digest authentication is enabled in squid.conf. Removing 'auth_param digest ...' lines mitigates the issue without patching.
  • ·Red Hat Enterprise Linux 5 and 6 (squid package) are listed as Not Affected; squid34 on RHEL 6 is out of support scope.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.