5.9

CVE-2019-12529

EPSS 16.21%
Veröffentlicht 11.07.2019 19:15:13
Zuletzt bearbeitet 21.11.2024 04:23:02
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. When Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode. uudecode determines how many bytes will be decoded by iterating over the input and checking its table. The length is then used to start decoding the string. There are no checks to ensure that the length it calculates isn't greater than the input buffer. This leads to adjacent memory being decoded as well. An attacker would not be able to retrieve the decoded data unless the Squid maintainer had configured the display of usernames on error pages.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 15

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Squid-cache ≫ Squid Version >= 2.0 < 2.7

Squid-cache ≫ Squid Version >= 3.0 <= 3.5.28

Squid-cache ≫ Squid Version >= 4.0 <= 4.7

Squid-cache ≫ Squid Version2.7 Updatestable1

Squid-cache ≫ Squid Version2.7 Updatestable2

Squid-cache ≫ Squid Version2.7 Updatestable3

Squid-cache ≫ Squid Version2.7 Updatestable4

Squid-cache ≫ Squid Version2.7 Updatestable5

Squid-cache ≫ Squid Version2.7 Updatestable6

Squid-cache ≫ Squid Version2.7 Updatestable7

Squid-cache ≫ Squid Version2.7 Updatestable8

Squid-cache ≫ Squid Version2.7 Updatestable9

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Debian ≫ Debian Linux Version10.0

Fedoraproject ≫ Fedora Version29

Opensuse ≫ Leap Version15.0

Opensuse ≫ Leap Version15.1

Canonical ≫ Ubuntu Linux Version12.04 SwEdition-

Canonical ≫ Ubuntu Linux Version16.04 SwEditionesm

Canonical ≫ Ubuntu Linux Version18.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version19.04

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	16.21%	0.946

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N

CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html

Third Party Advisory

Mailing List

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html

Third Party Advisory

Mailing List

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/

https://seclists.org/bugtraq/2019/Aug/42

Third Party Advisory

Mailing List

https://www.debian.org/security/2019/dsa-4507

Third Party Advisory

http://www.squid-cache.org/Versions/v4/changesets/

Vendor Advisory

https://github.com/squid-cache/squid/commits/v4

Patch

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2019/07/msg00018.html

Third Party Advisory

Mailing List

https://usn.ubuntu.com/4065-1/

Third Party Advisory

https://usn.ubuntu.com/4065-2/

Third Party Advisory

http://www.squid-cache.org/Versions/v4/changesets/squid-4-dd46b5417809647f561d8a5e0e74c3aacd235258.patch

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-12529

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-12529

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-12529

EUVD