First published: Thu Jul 11 2019(Updated: )
An issue was discovered in Squid 4.0.23 through 4.7. When checking Basic Authentication with HttpHeader::getAuth, Squid uses a global buffer to store the decoded data. Squid does not check that the decoded length isn't greater than the buffer, leading to a heap-based buffer overflow with user controlled data.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Squid-Cache Squid | >=4.0.23<=4.7 | |
Fedoraproject Fedora | =29 | |
Debian Debian Linux | =10.0 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =19.04 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux Eus | =8.1 | |
Redhat Enterprise Linux Eus | =8.2 | |
Redhat Enterprise Linux Eus | =8.4 | |
Redhat Enterprise Linux Eus | =8.6 | |
Redhat Enterprise Linux Server Aus | =8.2 | |
Redhat Enterprise Linux Server Aus | =8.4 | |
Redhat Enterprise Linux Server Aus | =8.6 | |
Redhat Enterprise Linux Server Tus | =8.2 | |
Redhat Enterprise Linux Server Tus | =8.4 | |
Redhat Enterprise Linux Server Tus | =8.6 | |
redhat/squid | <4.8 | 4.8 |
ubuntu/squid | <4.4-1ubuntu2.2 | 4.4-1ubuntu2.2 |
ubuntu/squid | <4.8 | 4.8 |
debian/squid | 4.6-1+deb10u7 4.6-1+deb10u10 4.13-10+deb11u2 5.7-2 6.6-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2019-12527 is high (8.8).
CVE-2019-12527 can lead to a heap-based buffer overflow in Squid.
Squid versions 4.0.23 through 4.7 are affected by CVE-2019-12527.
Upgrade to Squid version 4.8 or apply the necessary patches provided by the vendor.
You can find more information about CVE-2019-12527 on the official Squid website and the GitHub repository of Squid.