CVE-2019-12520 — HIGH (7.5)

Q: How severe is CVE-2019-12520?

CVE-2019-12520 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-12520?

Check the references section above for vendor advisories and patch information. Affected products include: Squid-Cache Squid, Canonical Ubuntu Linux, Debian Debian Linux.

Vulnerability Description

An issue was discovered in Squid through 4.7 and 5. When receiving a request, Squid checks its cache to see if it can serve up a response. It does this by making a MD5 hash of the absolute URL of the request. If found, it servers the request. The absolute URL can include the decoded UserInfo (username and password) for certain protocols. This decoded info is prepended to the domain. This allows an attacker to provide a username that has special characters to delimit the domain, and treat the rest of the URL as a path or query string. An attacker could first make a request to their domain using an encoded username, then when a request for the target domain comes in that decodes to the exact URL, it will serve the attacker's HTML instead of the real HTML. On Squid servers that also act as reverse proxies, this allows an attacker to gain access to features that only reverse proxies can use, such as ESI.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Squid-Cache	Squid	<= 4.7
Canonical	Ubuntu Linux	16.04
Debian	Debian Linux	9.0

Related Weaknesses (CWE)

CWE-20

References

http://www.squid-cache.org/Versions/v4/Release NotesVendor Advisory
http://www.squid-cache.org/Versions/v4/changesets/Release NotesVendor Advisory
https://github.com/squid-cache/squid/commits/v4PatchThird Party Advisory
https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12520.tThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.htmlMailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20210205-0006/Third Party Advisory
https://usn.ubuntu.com/4446-1/Third Party Advisory
https://www.debian.org/security/2020/dsa-4682Third Party Advisory
http://www.squid-cache.org/Versions/v4/Release NotesVendor Advisory
http://www.squid-cache.org/Versions/v4/changesets/Release NotesVendor Advisory
https://github.com/squid-cache/squid/commits/v4PatchThird Party Advisory
https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12520.tThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.htmlMailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20210205-0006/Third Party Advisory
https://usn.ubuntu.com/4446-1/Third Party Advisory

FAQ

What is CVE-2019-12520?

CVE-2019-12520 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue was discovered in Squid through 4.7 and 5. When receiving a request, Squid checks its cache to see if it can serve up a response. It does this by making a MD5 hash of the absolute URL of the ...

How severe is CVE-2019-12520?

CVE-2019-12520 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-12520?

Check the references section above for vendor advisories and patch information. Affected products include: Squid-Cache Squid, Canonical Ubuntu Linux, Debian Debian Linux.