CVE-2019-12527 — Out-of-bounds Write in Squid

CWE-787 — Out-of-bounds Write CWE-122 — Heap-based Buffer Overflow10 documents8 sources

Severity

8.8HIGHNVD

OSV9.8

EPSS

12.4%

top 6.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Squid Squid-cache Squid Canonical Ubuntu Linux +6 more

Timeline

PublishedJul 11

Latest updateMay 24

Description

An issue was discovered in Squid 4.0.23 through 4.7. When checking Basic Authentication with HttpHeader::getAuth, Squid uses a global buffer to store the decoded data. Squid does not check that the decoded length isn't greater than the buffer, leading to a heap-based buffer overflow with user controlled data.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶Debiansquid/squid< 4.8-1+3

▶NVDsquid-cache/squid4.0.23 — 4.7

Also affects: Debian Linux 10.0, Fedora 29, Ubuntu Linux 16.04, 18.04, 19.04, Enterprise Linux 8.0, 8.1, 8.2, 8.4, 8.6

Patches

Patch: www.squid-cache.org ↗Patch: github.com ↗Patch: www.squid-cache.org ↗

🔴Vulnerability Details

GHSA

GHSA-8x4r-gffh-rx7f: An issue was discovered in Squid 4↗2022-05-24

▶

OSV

squid, squid3 vulnerabilities↗2019-07-18

▶

OSV

CVE-2019-12527: An issue was discovered in Squid 4↗2019-07-11

▶

CVEList

CVE-2019-12527: An issue was discovered in Squid 4↗2019-07-11

▶

📋Vendor Advisories

Ubuntu

Squid vulnerabilities↗2019-07-18

▶

Red Hat

squid: heap-based buffer overflow in HttpHeader::getAuth↗2019-07-12

▶

Debian

CVE-2019-12527: squid - An issue was discovered in Squid 4.0.23 through 4.7. When checking Basic Authent...↗2019

▶

💬Community

Bugzilla

CVE-2019-12527 squid: heap-based buffer overflow in HttpHeader::getAuth [fedora-all]↗2019-07-17

▶

Bugzilla

CVE-2019-12527 squid: heap-based buffer overflow in HttpHeader::getAuth↗2019-07-17

▶