1. Home
  2. Vulnerabilities
  3. CVE-2019-12529

CVE-2019-12529

CVSS v3.1 5.9 (Medium)
59% Progress
CVSS v2.0 4.3 (Medium)
43% Progress
EPSS 1.06 % (84th)
1.06% Progress
Affected Products 5
Advisories 14
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. When Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode. uudecode determines how many bytes will be decoded by iterating over the input and checking its table. The length is then used to start decoding the string. There are no checks to ensure that the length it calculates isn't greater than the input buffer. This leads to adjacent memory being decoded as well. An attacker would not be able to retrieve the decoded data unless the Squid maintainer had configured the display of usernames on error pages.

Weaknesses
CWE-125
Out-of-bounds Read
CVE Status
PUBLISHED
CNA
MITRE
Published Date
2019-07-11 19:15:13
(5 years ago)
Updated Date
2023-11-07 03:03:37
(10 months ago)

Affected Products

Canonical

Debian

Fedoraproject

Opensuse

Squid-cache

Configuration #1

    CPE23 From Up To
  Squid-cache Squid from 2.0 version and prior 2.7 version cpe:2.3:a:squid-cache:squid >= 2.0 < 2.7
  Squid-cache Squid from 3.0 version and 3.5.28 and prior versions cpe:2.3:a:squid-cache:squid >= 3.0 <= 3.5.28
  Squid-cache Squid from 4.0 version and 4.7 and prior versions cpe:2.3:a:squid-cache:squid >= 4.0 <= 4.7
  Squid-cache Squid 2.7 Stable1 cpe:2.3:a:squid-cache:squid:2.7:stable1
  Squid-cache Squid 2.7 Stable2 cpe:2.3:a:squid-cache:squid:2.7:stable2
  Squid-cache Squid 2.7 Stable3 cpe:2.3:a:squid-cache:squid:2.7:stable3
  Squid-cache Squid 2.7 Stable4 cpe:2.3:a:squid-cache:squid:2.7:stable4
  Squid-cache Squid 2.7 Stable5 cpe:2.3:a:squid-cache:squid:2.7:stable5
  Squid-cache Squid 2.7 Stable6 cpe:2.3:a:squid-cache:squid:2.7:stable6
  Squid-cache Squid 2.7 Stable7 cpe:2.3:a:squid-cache:squid:2.7:stable7
  Squid-cache Squid 2.7 Stable8 cpe:2.3:a:squid-cache:squid:2.7:stable8
  Squid-cache Squid 2.7 Stable9 cpe:2.3:a:squid-cache:squid:2.7:stable9

Configuration #2

    CPE23 From Up To
  Debian Linux 8.0 cpe:2.3:o:debian:debian_linux:8.0
  Debian Linux 9.0 cpe:2.3:o:debian:debian_linux:9.0
  Debian Linux 10.0 cpe:2.3:o:debian:debian_linux:10.0

Configuration #3

    CPE23 From Up To
  Fedoraproject Fedora 29 cpe:2.3:o:fedoraproject:fedora:29

Configuration #4

    CPE23 From Up To
  Opensuse Leap 15.0 cpe:2.3:o:opensuse:leap:15.0
  Opensuse Leap 15.1 cpe:2.3:o:opensuse:leap:15.1

Configuration #5

    CPE23 From Up To
  Canonical Ubuntu Linux 12.04 cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-
  Canonical Ubuntu Linux 16.04 cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm
  Canonical Ubuntu Linux 18.04 cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts
  Canonical Ubuntu Linux 19.04 cpe:2.3:o:canonical:ubuntu_linux:19.04