1. Home
  2. Vulnerabilities
  3. CVE-2019-12524

CVE-2019-12524

CVSS v3.1 9.8 (Critical)
98% Progress
CVSS v2.0 7.5 (High)
75% Progress
EPSS 1.11 % (85th)
1.11% Progress
Affected Products 3
Advisories 8
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the maintainer. This rule is implemented via url_regex. The handler for url_regex rules URL decodes an incoming request. This allows an attacker to encode their URL to bypass the url_regex check, and gain access to the blocked resource.

Weaknesses
CWE-306
Missing Authentication for Critical Function
CVE Status
PUBLISHED
CNA
MITRE
Published Date
2020-04-15 19:15:12
(4 years ago)
Updated Date
2021-02-09 16:55:39
(3 years ago)

Affected Products

Canonical

Debian

Squid-cache

Configuration #1

    CPE23 From Up To
  Squid-cache Squid 4.7 and prior versions cpe:2.3:a:squid-cache:squid <= 4.7

Configuration #2

    CPE23 From Up To
  Debian Linux 9.0 cpe:2.3:o:debian:debian_linux:9.0
  Debian Linux 10.0 cpe:2.3:o:debian:debian_linux:10.0

Configuration #3

    CPE23 From Up To
  Canonical Ubuntu Linux 16.04 cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts
  Canonical Ubuntu Linux 18.04 cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts