QwikSec

Security Database

CVE

CWE

Training

CVE-2019-12529

Published: Jul 11, 2019

Modified: Aug 4, 2024

PUBLISHED

Description

An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. When Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode. uudecode determines how many bytes will be decoded by iterating over the input and checking its table. The length is then used to start decoding the string. There are no checks to ensure that the length it calculates isn't greater than the input buffer. This leads to adjacent memory being decoded as well. An attacker would not be able to retrieve the decoded data unless the Squid maintainer had configured the display of usernames on error pages.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

http://www.squid-cache.org/Versions/v4/changesets/

x_refsource_CONFIRM

https://github.com/squid-cache/squid/commits/v4

x_refsource_CONFIRM

http://www.squid-cache.org/Versions/v4/changesets/squid-4-dd46b5417809647f561d8a5e0e74c3aacd235258.patch

x_refsource_CONFIRM

vendor-advisory

x_refsource_UBUNTU

[debian-lts-announce] 20190720 [SECURITY] [DLA 1858-1] squid3 security update

mailing-list

x_refsource_MLIST

vendor-advisory

x_refsource_UBUNTU

FEDORA-2019-cb50bcc189

vendor-advisory

x_refsource_FEDORA

vendor-advisory

x_refsource_DEBIAN

20190825 [SECURITY] [DSA 4507-1] squid security update

mailing-list

x_refsource_BUGTRAQ

openSUSE-SU-2019:2540

vendor-advisory

x_refsource_SUSE

openSUSE-SU-2019:2541

vendor-advisory

x_refsource_SUSE

[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.