QwikSec

Security Database

CVE

CWE

Training

CVE-2019-12525

Published: Jul 11, 2019

Modified: Aug 4, 2024

PUBLISHED

Description

An issue was discovered in Squid 3.3.9 through 3.5.28 and 4.x through 4.7. When Squid is configured to use Digest authentication, it parses the header Proxy-Authorization. It searches for certain tokens such as domain, uri, and qop. Squid checks if this token's value starts with a quote and ends with one. If so, it performs a memcpy of its length minus 2. Squid never checks whether the value is just a single quote (which would satisfy its requirements), leading to a memcpy of its length minus 1.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

http://www.squid-cache.org/Versions/v4/changesets/

x_refsource_CONFIRM

https://github.com/squid-cache/squid/commits/v4

x_refsource_CONFIRM

http://www.squid-cache.org/Versions/v4/changesets/squid-4-7f73e9c5d17664b882ed32590e6af310c247f320.patch

x_refsource_CONFIRM

vendor-advisory

x_refsource_UBUNTU

[debian-lts-announce] 20190720 [SECURITY] [DLA 1858-1] squid3 security update

mailing-list

x_refsource_MLIST

vendor-advisory

x_refsource_UBUNTU

FEDORA-2019-cb50bcc189

vendor-advisory

x_refsource_FEDORA

vendor-advisory

x_refsource_DEBIAN

20190825 [SECURITY] [DSA 4507-1] squid security update

mailing-list

x_refsource_BUGTRAQ

openSUSE-SU-2019:2540

vendor-advisory

x_refsource_SUSE

openSUSE-SU-2019:2541

vendor-advisory

x_refsource_SUSE

[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.