CVE-2019-12526
Published: 26 November 2019
An issue was discovered in Squid before 4.9. URN response handling in Squid suffers from a heap-based buffer overflow. When receiving data from a remote server in response to an URN request, Squid fails to ensure that the response can fit within the buffer. This leads to attacker controlled data overflowing in the heap.
Priority
Status
Package | Release | Status |
---|---|---|
squid Launchpad, Ubuntu, Debian |
groovy |
Released
(4.9-2ubuntu1)
|
bionic |
Does not exist
|
|
disco |
Released
(4.4-1ubuntu2.3)
|
|
eoan |
Released
(4.8-1ubuntu2.1)
|
|
focal |
Released
(4.9-2ubuntu1)
|
|
hirsute |
Released
(4.9-2ubuntu1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.9-1)
|
|
xenial |
Does not exist
|
|
Patches: upstream: http://www.squid-cache.org/Versions/v4/changesets/squid-4-7aa0184a720fd216191474e079f4fe87de7c4f5a.patch |
||
squid3 Launchpad, Ubuntu, Debian |
groovy |
Does not exist
|
bionic |
Released
(3.5.27-1ubuntu1.4)
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
hirsute |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Released
(3.5.12-1ubuntu7.9)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |