Lucene search

K
archlinuxArchLinuxASA-201907-5
HistoryJul 17, 2019 - 12:00 a.m.

[ASA-201907-5] squid: arbitrary code execution

2019-07-1700:00:00
security.archlinux.org
9

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.039 Low

EPSS

Percentile

91.8%

Arch Linux Security Advisory ASA-201907-5

Severity: Critical
Date : 2019-07-17
CVE-ID : CVE-2019-12527
Package : squid
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-1004

Summary

The package squid before version 4.8-1 is vulnerable to arbitrary code
execution.

Resolution

Upgrade to 4.8-1.

pacman -Syu “squid>=4.8-1”

The problem has been fixed upstream in version 4.8.

Workaround

None.

Description

Due to incorrect buffer management Squid versions prior to 4.8 are
vulnerable to a heap overflow and possible remote code execution attack
when processing HTTP Authentication credentials.

Impact

A remote attacker can execute arbitrary code via crafted HTTP requests.

References

http://www.squid-cache.org/Advisories/SQUID-2019_5.txt
http://www.squid-cache.org/Versions/v4/changesets/squid-4-7f73e9c5d17664b882ed32590e6af310c247f320.patch
https://security.archlinux.org/CVE-2019-12527

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanysquid< 4.8-1UNKNOWN

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.039 Low

EPSS

Percentile

91.8%