CVE-2019-12854 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Squid

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-400 — Uncontrolled Resource Consumption10 documents8 sources

Severity

7.5HIGHNVD

EPSS

44.5%

top 2.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Squid Squid-cache Squid Canonical Ubuntu Linux +3 more

Timeline

PublishedAug 15

Latest updateMay 24

Description

Due to incorrect string termination, Squid cachemgr.cgi 4.0 through 4.7 may access unallocated memory. On systems with memory access protections, this can cause the CGI process to terminate unexpectedly, resulting in a denial of service for all clients using it.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Debiansquid/squid< 4.8-1+3

▶NVDsquid-cache/squid4.0 — 4.7

▶NVDopensuse/leap15.0, 15.1+1

Also affects: Debian Linux 10.0, Fedora 29, Ubuntu Linux 16.04, 18.04, 19.04, 19.10

Patches

Patch: www.squid-cache.org ↗Patch: www.squid-cache.org ↗

🔴Vulnerability Details

GHSA

GHSA-pxgg-fcwc-pc9f: Due to incorrect string termination, Squid cachemgr↗2022-05-24

▶

OSV

squid, squid3 vulnerabilities↗2019-12-04

▶

OSV

CVE-2019-12854: Due to incorrect string termination, Squid cachemgr↗2019-08-15

▶

CVEList

CVE-2019-12854: Due to incorrect string termination, Squid cachemgr↗2019-08-15

▶

📋Vendor Advisories

Ubuntu

Squid vulnerabilities↗2019-12-04

▶

Red Hat

squid: Denial of service in cachemgr.cgi↗2019-07-12

▶

Debian

CVE-2019-12854: squid - Due to incorrect string termination, Squid cachemgr.cgi 4.0 through 4.7 may acce...↗2019

▶

💬Community

Bugzilla

CVE-2019-12854 squid: Denial of service in cachemgr.cgi↗2019-07-17

▶

Bugzilla

CVE-2019-12854 squid: denial of service in cachemgr.cgi [fedora-all]↗2019-07-17

▶