ByteOS Network

NVD Vulnerability Details :

CVE-2019-12527

Modified

Source-cve@mitre.org

Published At-11 Jul, 2019 | 19:15

Updated At-07 Nov, 2023 | 03:03

An issue was discovered in Squid 4.0.23 through 4.7. When checking Basic Authentication with HttpHeader::getAuth, Squid uses a global buffer to store the decoded data. Squid does not check that the decoded length isn't greater than the buffer, leading to a heap-based buffer overflow with user controlled data.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary	2.0	6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P

CPE Matches

Squid Cache

>>squid>>Versions from 4.0.23(inclusive) to 4.7(inclusive)

cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*

Fedora Project

>>fedora>>29

cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*

Debian GNU/Linux

>>debian_linux>>10.0

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Canonical Ltd.

>>ubuntu_linux>>16.04

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*

Canonical Ltd.

>>ubuntu_linux>>18.04

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

Canonical Ltd.

>>ubuntu_linux>>19.04

cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*

Red Hat, Inc.

>>enterprise_linux>>8.0

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

Red Hat, Inc.

>>enterprise_linux_eus>>8.1

cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*

Red Hat, Inc.

>>enterprise_linux_eus>>8.2

cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*

Red Hat, Inc.

>>enterprise_linux_eus>>8.4

cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*

Red Hat, Inc.

>>enterprise_linux_eus>>8.6

cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*

Red Hat, Inc.

>>enterprise_linux_server_aus>>8.2

cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*

Red Hat, Inc.

>>enterprise_linux_server_aus>>8.4

cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*

Red Hat, Inc.

>>enterprise_linux_server_aus>>8.6

cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:*

Red Hat, Inc.

>>enterprise_linux_server_tus>>8.2

cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*

Red Hat, Inc.

>>enterprise_linux_server_tus>>8.4

cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*

Red Hat, Inc.

>>enterprise_linux_server_tus>>8.6

cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-787	Primary	nvd@nist.gov

References

Hyperlink	Source	Resource
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html	cve@mitre.org	Broken Link
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html	cve@mitre.org	Broken Link
http://www.securityfocus.com/bid/109143	cve@mitre.org	Broken Link Third Party Advisory VDB Entry
http://www.squid-cache.org/Versions/v4/changesets/	cve@mitre.org	Vendor Advisory
http://www.squid-cache.org/Versions/v4/changesets/squid-4-7f73e9c5d17664b882ed32590e6af310c247f320.patch	cve@mitre.org	Patch Vendor Advisory
https://access.redhat.com/errata/RHSA-2019:2593	cve@mitre.org	Third Party Advisory
https://github.com/squid-cache/squid/commits/v4	cve@mitre.org	Patch Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/	cve@mitre.org	N/A
https://seclists.org/bugtraq/2019/Aug/42	cve@mitre.org	Mailing List Third Party Advisory
https://usn.ubuntu.com/4065-1/	cve@mitre.org	Third Party Advisory
https://www.debian.org/security/2019/dsa-4507	cve@mitre.org	Third Party Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History