7.5

CVE-2019-18679

EPSS 38.43%
Published 26.11.2019 17:15:13
Last modified 21.11.2024 04:33:31
Source cve@mitre.org
Teams watchlist Login
Open Login

An issue was discovered in Squid 2.x, 3.x, and 4.x through 4.8. Due to incorrect data management, it is vulnerable to information disclosure when processing HTTP Digest Authentication. Nonce tokens contain the raw byte value of a pointer that sits within heap memory allocation. This information reduces ASLR protections and may aid attackers isolating memory areas to target for remote code execution attacks.

Affected products Warnungen 0 Metrics 3 CWE 1 References 14

Data is provided by the National Vulnerability Database (NVD)

Squid-cache ≫ Squid Version >= 2.0 <= 2.7

Squid-cache ≫ Squid Version >= 3.0 <= 3.5.28

Squid-cache ≫ Squid Version >= 4.0 <= 4.8

Squid-cache ≫ Squid Version2.7 Updatestable2

Squid-cache ≫ Squid Version2.7 Updatestable3

Squid-cache ≫ Squid Version2.7 Updatestable4

Squid-cache ≫ Squid Version2.7 Updatestable5

Squid-cache ≫ Squid Version2.7 Updatestable6

Squid-cache ≫ Squid Version2.7 Updatestable7

Squid-cache ≫ Squid Version2.7 Updatestable8

Squid-cache ≫ Squid Version2.7 Updatestable9

Canonical ≫ Ubuntu Linux Version16.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version18.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version19.04

Canonical ≫ Ubuntu Linux Version19.10

Debian ≫ Debian Linux Version8.0

Fedoraproject ≫ Fedora Version30

Fedoraproject ≫ Fedora Version31

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	38.43%	0.971

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html

https://usn.ubuntu.com/4213-1/

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/

https://www.debian.org/security/2020/dsa-4682

https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html

Third Party Advisory

https://security.gentoo.org/glsa/202003-34

http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch

Release Notes

http://www.squid-cache.org/Advisories/SQUID-2019_11.txt

Third Party Advisory

https://bugzilla.suse.com/show_bug.cgi?id=1156324

Third Party Advisory

Issue Tracking

https://github.com/squid-cache/squid/pull/491

Patch

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-18679

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-18679

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-18679

EUVD