CVE-2019-12526Out-of-bounds Write in Squid

CWE-787Out-of-bounds WriteCWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-120Classic Buffer Overflow11 documents9 sources
Severity
9.8CRITICALNVD
EPSS
33.6%
top 3.06%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
SquidSquid-cache SquidCanonical Ubuntu Linux+3 more
Timeline
PublishedNov 26
Latest updateMay 24

Description

An issue was discovered in Squid before 4.9. URN response handling in Squid suffers from a heap-based buffer overflow. When receiving data from a remote server in response to an URN request, Squid fails to ensure that the response can fit within the buffer. This leads to attacker controlled data overflowing in the heap.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

Debiansquid/squid< 4.9-1+3
NVDsquid-cache/squid3.03.5.28+1
NVDopensuse/leap15.0

Also affects: Debian Linux 10.0, 8.0, 9.0, Fedora 30, 31, Ubuntu Linux 16.04, 18.04, 19.04, 19.10

🔴Vulnerability Details

4
GHSA
GHSA-rqc4-5489-hg7v: An issue was discovered in Squid before 42022-05-24
OSV
squid, squid3 vulnerabilities2019-12-04
CVEList
CVE-2019-12526: An issue was discovered in Squid before 42019-11-26
OSV
CVE-2019-12526: An issue was discovered in Squid before 42019-11-26

📋Vendor Advisories

3
Ubuntu
Squid vulnerabilities2019-12-04
Red Hat
squid: Heap overflow issue in URN processing2019-11-05
Debian
CVE-2019-12526: squid - An issue was discovered in Squid before 4.9. URN response handling in Squid suff...2019

💬Community

2
Bugzilla
CVE-2019-12526 squid: Heap overflow issue in URN processing [fedora-all]2019-11-08
Bugzilla
CVE-2019-12526 squid: Heap overflow issue in URN processing2019-11-08
CVE-2019-12526 — Out-of-bounds Write in Squid | cvebase