CVE-2019-12523

Published: Nov 26, 2019Modified: Nov 21, 2024

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 3.9 / Impact: 5.2

Source: NVD

Description

An issue was discovered in Squid before 4.9. When handling a URN request, a corresponding HTTP request is made. This HTTP request doesn't go through the access checks that incoming HTTP requests go through. This causes all access checks to be bypassed and allows access to restricted HTTP servers, e.g., an attacker can connect to HTTP servers that only listen on localhost.

Affected (12)

Products: Squid Cache: Squid · Canonical: Ubuntu Linux · Fedoraproject: Fedora · +2 more

Show all products

Squid Cache: Squid · Canonical: Ubuntu Linux · Fedoraproject: Fedora · Opensuse: Leap · Debian: Debian Linux

1 product

1 product

1 product

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Squid Cache Squid	From 3.0 to 3.5.28
Squid Cache Squid	From 4.0 to 4.8

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 19.04
Canonical Ubuntu Linux	Version 19.10

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 30
Fedoraproject Fedora	Version 31

Configuration D

1 vulnerable

Vulnerable Software	Affected Versions
Opensuse Leap	Version 15.0

Configuration E

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 9.0

Configuration F

2 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 18.04

References (18)

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html

Source: cve@mitre.org

Broken Link

http://www.squid-cache.org/Advisories/SQUID-2019_8.txt

Source: cve@mitre.org

Third Party Advisory

https://bugzilla.suse.com/show_bug.cgi?id=1156329

Source: cve@mitre.org

Issue TrackingThird Party Advisory

https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/

Source: cve@mitre.org

https://usn.ubuntu.com/4213-1/

Source: cve@mitre.org

Third Party Advisory

https://usn.ubuntu.com/4446-1/

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2020/dsa-4682

Source: cve@mitre.org

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

http://www.squid-cache.org/Advisories/SQUID-2019_8.txt

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://bugzilla.suse.com/show_bug.cgi?id=1156329

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/

Source: af854a3a-2127-422b-91ae-364da2661108

https://usn.ubuntu.com/4213-1/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://usn.ubuntu.com/4446-1/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.debian.org/security/2020/dsa-4682

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.