Lucene search

K
ubuntucveUbuntu.comUB:CVE-2019-12529
HistoryJul 11, 2019 - 12:00 a.m.

CVE-2019-12529

2019-07-1100:00:00
ubuntu.com
ubuntu.com
13

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.007 Low

EPSS

Percentile

80.4%

An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through
3.5.28, and 4.x through 4.7. When Squid is configured to use Basic
Authentication, the Proxy-Authorization header is parsed via uudecode.
uudecode determines how many bytes will be decoded by iterating over the
input and checking its table. The length is then used to start decoding the
string. There are no checks to ensure that the length it calculates isn’t
greater than the input buffer. This leads to adjacent memory being decoded
as well. An attacker would not be able to retrieve the decoded data unless
the Squid maintainer had configured the display of usernames on error
pages.

Notes

Author Note
mdeslaur as of 2019-07-12, no equivalent fix in 3.5.x tree
OSVersionArchitecturePackageVersionFilename
ubuntu19.04noarchsquid< 4.4-1ubuntu2.2UNKNOWN
ubuntu18.04noarchsquid3< 3.5.27-1ubuntu1.3UNKNOWN
ubuntu16.04noarchsquid3< 3.5.12-1ubuntu7.8UNKNOWN

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.007 Low

EPSS

Percentile

80.4%