CVE-2019-12529
- Source
- https://cve.org/CVERecord?id=CVE-2019-12529
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12529.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2019-12529
- Downstream
- Related
- Published
- 2019-07-11T19:15:13.157Z
- Modified
- 2026-03-15T21:56:01.224275Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. When Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode. uudecode determines how many bytes will be decoded by iterating over the input and checking its table. The length is then used to start decoding the string. There are no checks to ensure that the length it calculates isn't greater than the input buffer. This leads to adjacent memory being decoded as well. An attacker would not be able to retrieve the decoded data unless the Squid maintainer had configured the display of usernames on error pages.
- References
-
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html
- http://www.squid-cache.org/Versions/v4/changesets/
- https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html
- https://usn.ubuntu.com/4065-1/
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html
- https://lists.debian.org/debian-lts-announce/2019/07/msg00018.html
- https://seclists.org/bugtraq/2019/Aug/42
- https://usn.ubuntu.com/4065-2/
- https://www.debian.org/security/2019/dsa-4507
- https://github.com/squid-cache/squid/commits/v4
- http://www.squid-cache.org/Versions/v4/changesets/squid-4-dd46b5417809647f561d8a5e0e74c3aacd235258.patch
Affected packages
Git / github.com/squid-cache/squid
Affected versions
Other
BASIC_TPROXY4
SQUID_4_0_1
SQUID_4_0_10
SQUID_4_0_11
SQUID_4_0_12
SQUID_4_0_13
SQUID_4_0_14
SQUID_4_0_15
SQUID_4_0_16
SQUID_4_0_17
SQUID_4_0_18
SQUID_4_0_19
SQUID_4_0_2
SQUID_4_0_20
SQUID_4_0_21
SQUID_4_0_22
SQUID_4_0_23
SQUID_4_0_24
SQUID_4_0_25
SQUID_4_0_3
SQUID_4_0_4
SQUID_4_0_5
SQUID_4_0_6
SQUID_4_0_7
SQUID_4_0_8
SQUID_4_0_9
SQUID_4_1
SQUID_4_2
SQUID_4_3
SQUID_4_4
SQUID_4_5
SQUID_4_6
SQUID_4_7
for-libecap-v0p1
merge-candidate-3-v1
merge-candidate-3-v2
sourceformat-review-1
take00
take01
take02
take03
take04
take06
take07
take08
take09
take1
take2
BumpSslServerFirst.*
BumpSslServerFirst.take01
BumpSslServerFirst.take02
BumpSslServerFirst.take03
BumpSslServerFirst.take04
BumpSslServerFirst.take05
BumpSslServerFirst.take06
BumpSslServerFirst.take07
BumpSslServerFirst.take08
BumpSslServerFirst.take09
BumpSslServerFirst.take10
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12529.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "2.0"
},
{
"fixed": "2.7"
}
]
},
{
"events": [
{
"introduced": "3.0"
},
{
"last_affected": "3.5.28"
}
]
},
{
"events": [
{
"introduced": "4.0"
},
{
"last_affected": "4.7"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.7-stable1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.7-stable2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.7-stable3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.7-stable4"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.7-stable5"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.7-stable6"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.7-stable7"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.7-stable8"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.7-stable9"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "10.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "29"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "15.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "15.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.04"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "16.04"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "18.04"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "19.04"
}
]
},
{
"events": [
{
"introduced": "2.x"
},
{
"last_affected": "2.7.STABLE9"
}
]
},
{
"events": [
{
"introduced": "3.x"
},
{
"last_affected": "3.5.28"
}
]
}
]