CVE-2019-12523
First published: Tue Nov 26 2019(Updated: )
An issue was discovered in Squid before 4.9. When handling a URN request, a corresponding HTTP request is made. This HTTP request doesn't go through the access checks that incoming HTTP requests go through. This causes all access checks to be bypassed and allows access to restricted HTTP servers, e.g., an attacker can connect to HTTP servers that only listen on localhost.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Squid-Cache Squid | >=3.0<=3.5.28 | |
| Squid-Cache Squid | >=4.0<=4.8 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =19.04 | |
| Canonical Ubuntu Linux | =19.10 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| openSUSE Leap | =15.0 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Canonical Ubuntu Linux | =16.04 | |
| ubuntu/squid | <4.4-1ubuntu2.3 | 4.4-1ubuntu2.3 |
| ubuntu/squid | <4.8-1ubuntu2.1 | 4.8-1ubuntu2.1 |
| ubuntu/squid | <4.9-2ubuntu1 | 4.9-2ubuntu1 |
| ubuntu/squid | <4.9-2ubuntu1 | 4.9-2ubuntu1 |
| ubuntu/squid | <4.9-2ubuntu1 | 4.9-2ubuntu1 |
| ubuntu/squid | <4.9-1 | 4.9-1 |
| ubuntu/squid3 | <3.5.27-1ubuntu1.7 | 3.5.27-1ubuntu1.7 |
| ubuntu/squid3 | <3.5.12-1ubuntu7.12 | 3.5.12-1ubuntu7.12 |
| debian/squid | 4.6-1+deb10u7 4.6-1+deb10u10 4.13-10+deb11u2 4.13-10+deb11u3 5.7-2 5.7-2+deb12u1 6.6-1 6.9-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html
- http://www.squid-cache.org/Advisories/SQUID-2019_8.txt
- https://bugzilla.suse.com/show_bug.cgi?id=1156329
- https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/
- https://usn.ubuntu.com/4213-1/
- https://usn.ubuntu.com/4446-1/
- https://www.debian.org/security/2020/dsa-4682
- https://launchpad.net/bugs/cve/CVE-2019-12523
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/
- https://ubuntu.com/security/notices/USN-4213-1
- https://ubuntu.com/security/notices/USN-4446-1
- https://www.cve.org/CVERecord?id=CVE-2019-12523
- https://nvd.nist.gov/vuln/detail/CVE-2019-12523
- https://security-tracker.debian.org/tracker/CVE-2019-12523
- http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch
- https://ubuntu.com/security/CVE-2019-12523
Frequently Asked Questions
What is CVE-2019-12523?
CVE-2019-12523 is a vulnerability in Squid before version 4.9 that allows bypassing access checks and accessing restricted HTTP servers.
What is the severity of CVE-2019-12523?
The severity of CVE-2019-12523 is critical with a CVSS score of 9.1.
How does CVE-2019-12523 impact Squid?
CVE-2019-12523 impacts Squid by allowing access to restricted HTTP servers and bypassing access checks.
What versions of Squid are affected by CVE-2019-12523?
Versions before 4.9 of Squid are affected by CVE-2019-12523.
How do I fix CVE-2019-12523?
Update Squid to version 4.9 or later to fix CVE-2019-12523.
- collector/nvd-index
- agent/type
- agent/last-modified-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/first-publish-date
- agent/remedy
- agent/severity
- agent/description
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/usn-cve
- source/Ubuntu
- collector/security-tracker-debian
- source/Debian
- agent/references
- agent/tags
- agent/softwarecombine
- agent/event
- vendor/squid-cache
- canonical/squid-cache squid
- version/squid-cache squid/3.0
- version/squid-cache squid/3.5.28
- version/squid-cache squid/4.0
- version/squid-cache squid/4.8
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/19.04
- version/canonical ubuntu linux/19.10
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- package-manager/ubuntu
- package-manager/debian