DEBIAN-CVE-2019-12522

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2019-12522

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2019-12522.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2019-12522

Upstream

CVE-2019-12522

Published

2020-04-15T19:15:12.473Z

Modified

2025-11-19T01:01:57.561539Z

Severity

4.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

[none]

Details

An issue was discovered in Squid through 4.7. When Squid is run as root, it spawns its child processes as a lesser user, by default the user nobody. This is done via the leavesuid call. leavesuid leaves the Saved UID as 0. This makes it trivial for an attacker who has compromised the child process to escalate their privileges back to root.

References

https://security-tracker.debian.org/tracker/CVE-2019-12522

Affected packages

Debian:11 / squid

Package

Name: squid
Purl: pkg:deb/debian/squid?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.13-10

4.13-10+deb11u1

4.13-10+deb11u2

4.13-10+deb11u3

4.13-10+deb11u4

4.13-10+deb11u5

4.13-10+deb11u6

5.*

5.1-2

5.2-1

5.5-1

5.5-1.1

5.6-1

5.7-1

5.7-2

6.*

6.1-1

6.1-2

6.3-1

6.5-1

6.6-1

6.8-1

6.9-1

6.10-1

6.12-1

6.13-1

6.13-2

7.*

7.1-1

7.2-1

7.2-2

7.4-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2019-12522.json"

Debian:12 / squid

Package

Name: squid
Purl: pkg:deb/debian/squid?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.7-2

5.7-2+deb12u1

5.7-2+deb12u2

5.7-2+deb12u3

5.7-2+deb12u4

5.7-2+deb12u5

6.*

6.1-1

6.1-2

6.3-1

6.5-1

6.6-1

6.8-1

6.9-1

6.10-1

6.12-1

6.13-1

6.13-2

7.*

7.1-1

7.2-1

7.2-2

7.4-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2019-12522.json"

Debian:13 / squid

Package

Name: squid
Purl: pkg:deb/debian/squid?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.13-2

6.13-2+deb13u1

7.*

7.1-1

7.2-1

7.2-2

7.4-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2019-12522.json"

Debian:14 / squid

Package

Name: squid
Purl: pkg:deb/debian/squid?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.13-2

7.*

7.1-1

7.2-1

7.2-2

7.4-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2019-12522.json"