CVE-2019-12524

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-12524

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12524.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-12524

Related

Published

2020-04-15T19:15:12Z

Modified

2024-09-18T03:02:01.720334Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the maintainer. This rule is implemented via urlregex. The handler for urlregex rules URL decodes an incoming request. This allows an attacker to encode their URL to bypass the url_regex check, and gain access to the blocked resource.

References

Affected packages

Debian:11 / squid

Package

Name: squid
Purl: pkg:deb/debian/squid?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.8-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / squid

Package

Name: squid
Purl: pkg:deb/debian/squid?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.8-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / squid

Package

Name: squid
Purl: pkg:deb/debian/squid?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.8-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/squid-cache/squid

Affected ranges

Type: GIT
Repo: https://github.com/squid-cache/squid
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

2e17b02616d37206ba9cccc53c20667624fbef9f

Affected versions

Other

BASIC_TPROXY4

SQUID_3_0_PRE1

SQUID_3_0_PRE2

SQUID_3_0_PRE3

SQUID_3_0_PRE4

SQUID_3_0_PRE5

SQUID_3_0_PRE6

SQUID_3_0_PRE7

SQUID_3_0_RC1

SQUID_4_0_1

SQUID_4_0_10

SQUID_4_0_11

SQUID_4_0_12

SQUID_4_0_13

SQUID_4_0_14

SQUID_4_0_15

SQUID_4_0_16

SQUID_4_0_17

SQUID_4_0_18

SQUID_4_0_19

SQUID_4_0_2

SQUID_4_0_20

SQUID_4_0_21

SQUID_4_0_22

SQUID_4_0_23

SQUID_4_0_24

SQUID_4_0_25

SQUID_4_0_3

SQUID_4_0_4

SQUID_4_0_5

SQUID_4_0_6

SQUID_4_0_7

SQUID_4_0_8

SQUID_4_0_9

SQUID_4_1

SQUID_4_2

SQUID_4_3

SQUID_4_4

SQUID_4_5

SQUID_4_6

SQUID_4_7

for-libecap-v0p1

merge-candidate-3-v1

merge-candidate-3-v2

sourceformat-review-1

take00

take01

take02

take03

take04

take06

take07

take08

take09

take1

take2

BumpSslServerFirst.*

BumpSslServerFirst.take01

BumpSslServerFirst.take02

BumpSslServerFirst.take03

BumpSslServerFirst.take04

BumpSslServerFirst.take05

BumpSslServerFirst.take06

BumpSslServerFirst.take07

BumpSslServerFirst.take08

BumpSslServerFirst.take09

BumpSslServerFirst.take10