CVE-2019-12524

Priority
Description
An issue was discovered in Squid through 4.7. When handling requests from
users, Squid checks its rules to see if the request should be denied. Squid
by default comes with rules to block access to the Cache Manager, which
serves detailed server information meant for the maintainer. This rule is
implemented via url_regex. The handler for url_regex rules URL decodes an
incoming request. This allows an attacker to encode their URL to bypass the
url_regex check, and gain access to the blocked resource.
Assigned-to
mdeslaur
Notes
mdeslaurfixed in Debian's 3.5.23-5+deb9u2
same patch as CVE-2019-12520
Package
Source: squid (LP Ubuntu Debian)
Upstream:released (4.8)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 20.04 LTS (Focal Fossa):not-affected (4.10-1ubuntu1)
Ubuntu 20.10 (Groovy Gorilla):not-affected (4.10-1ubuntu1)
Patches:
Upstream:http://www.squid-cache.org/Versions/v4/changesets/SQUID-2019_4.patch
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not present)
Ubuntu 18.04 LTS (Bionic Beaver):released (3.5.27-1ubuntu1.7)
Ubuntu 20.04 LTS (Focal Fossa):DNE
Ubuntu 20.10 (Groovy Gorilla):DNE
More Information

Updated: 2020-09-09 22:47:08 UTC (commit b67d7d8b03f173f825cd706df5bd078bca500b0e)