CVE-2019-12520

EUVD-2019-4115
An issue was discovered in Squid through 4.7 and 5. When receiving a request, Squid checks its cache to see if it can serve up a response. It does this by making a MD5 hash of the absolute URL of the request. If found, it servers the request. The absolute URL can include the decoded UserInfo (username and password) for certain protocols. This decoded info is prepended to the domain. This allows an attacker to provide a username that has special characters to delimit the domain, and treat the rest of the URL as a path or query string. An attacker could first make a request to their domain using an encoded username, then when a request for the target domain comes in that decodes to the exact URL, it will serve the attacker's HTML instead of the real HTML. On Squid servers that also act as reverse proxies, this allows an attacker to gain access to features that only reverse proxies can use, such as ESI.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 90%
Affected Products (NVD)
VendorProductVersion
squid-cachesquid
𝑥
≤ 4.7
canonicalubuntu_linux
16.04
canonicalubuntu_linux
18.04
debiandebian_linux
9.0
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
squid
bookworm
5.7-2+deb12u2
fixed
bookworm (security)
5.7-2+deb12u2
fixed
bullseye
4.13-10+deb11u3
fixed
bullseye (security)
4.13-10+deb11u3
fixed
sid
6.12-1
fixed
trixie
6.12-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
squid
bionic
dne
eoan
not-affected
focal
not-affected
groovy
not-affected
hirsute
not-affected
trusty
dne
xenial
dne
squid3
bionic
Fixed 3.5.27-1ubuntu1.7
released
eoan
dne
focal
dne
groovy
dne
hirsute
dne
trusty
dne
xenial
not-affected
Common Weakness Enumeration
References
http://www.squid-cache.org/Versions/v4/
http://www.squid-cache.org/Versions/v4/changesets/
https://github.com/squid-cache/squid/commits/v4
https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12520.txt
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html
https://security.netapp.com/advisory/ntap-20210205-0006/
https://usn.ubuntu.com/4446-1/
https://www.debian.org/security/2020/dsa-4682
http://www.squid-cache.org/Versions/v4/
http://www.squid-cache.org/Versions/v4/changesets/
https://github.com/squid-cache/squid/commits/v4
https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12520.txt
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html
https://security.netapp.com/advisory/ntap-20210205-0006/
https://usn.ubuntu.com/4446-1/
https://www.debian.org/security/2020/dsa-4682