cnvd - cnvd-2019-42422

cnvd-2019-42422

Vulnerability from cnvd

Title: Squid URI processor输入验证错误漏洞

Description:

Squid是一套代理服务器和Web缓存服务器软件。该软件提供缓存万维网、过滤流量、代理上网等功能。URI processor是其中的一个URI（统一资源标识符）处理器。

Squid中的URI processor存在输入验证错误漏洞，该漏洞源于网络系统或产品未对输入的数据进行正确的验证，攻击者可利用该漏洞执行非法操作。

Severity: 中

Patch Name: Squid URI processor输入验证错误漏洞的补丁

Patch Description:

Squid中的URI processor存在输入验证错误漏洞，该漏洞源于网络系统或产品未对输入的数据进行正确的验证，攻击者可利用该漏洞执行非法操作。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： http://www.squid-cache.org/Advisories/SQUID-2019_8.txt

Reference: https://www.auscert.org.au/bulletins/ESB-2019.4232/

Impacted products

Name
Squid Squid <4.9

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-12523"
    }
  },
  "description": "Squid\u662f\u4e00\u5957\u4ee3\u7406\u670d\u52a1\u5668\u548cWeb\u7f13\u5b58\u670d\u52a1\u5668\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u63d0\u4f9b\u7f13\u5b58\u4e07\u7ef4\u7f51\u3001\u8fc7\u6ee4\u6d41\u91cf\u3001\u4ee3\u7406\u4e0a\u7f51\u7b49\u529f\u80fd\u3002URI processor\u662f\u5176\u4e2d\u7684\u4e00\u4e2aURI\uff08\u7edf\u4e00\u8d44\u6e90\u6807\u8bc6\u7b26\uff09\u5904\u7406\u5668\u3002\n\nSquid\u4e2d\u7684URI processor\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u5bf9\u8f93\u5165\u7684\u6570\u636e\u8fdb\u884c\u6b63\u786e\u7684\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u975e\u6cd5\u64cd\u4f5c\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttp://www.squid-cache.org/Advisories/SQUID-2019_8.txt",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-42422",
  "openTime": "2019-11-27",
  "patchDescription": "Squid\u662f\u4e00\u5957\u4ee3\u7406\u670d\u52a1\u5668\u548cWeb\u7f13\u5b58\u670d\u52a1\u5668\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u63d0\u4f9b\u7f13\u5b58\u4e07\u7ef4\u7f51\u3001\u8fc7\u6ee4\u6d41\u91cf\u3001\u4ee3\u7406\u4e0a\u7f51\u7b49\u529f\u80fd\u3002URI processor\u662f\u5176\u4e2d\u7684\u4e00\u4e2aURI\uff08\u7edf\u4e00\u8d44\u6e90\u6807\u8bc6\u7b26\uff09\u5904\u7406\u5668\u3002\r\n\r\nSquid\u4e2d\u7684URI processor\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u5bf9\u8f93\u5165\u7684\u6570\u636e\u8fdb\u884c\u6b63\u786e\u7684\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u975e\u6cd5\u64cd\u4f5c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Squid URI processor\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Squid Squid \u003c4.9"
  },
  "referenceLink": "https://www.auscert.org.au/bulletins/ESB-2019.4232/",
  "serverity": "\u4e2d",
  "submitTime": "2019-11-13",
  "title": "Squid URI processor\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2019-12523 (GCVE-0-2019-12523)

Vulnerability from cvelistv5

Published

2019-11-26 16:39

Modified

2024-08-04 23:24

Severity ?

CWE

Summary

An issue was discovered in Squid before 4.9. When handling a URN request, a corresponding HTTP request is made. This HTTP request doesn't go through the access checks that incoming HTTP requests go through. This causes all access checks to be bypassed and allows access to restricted HTTP servers, e.g., an attacker can connect to HTTP servers that only listen on localhost.

References

▼	URL	Tags
	http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html	x_refsource_CONFIRM
	http://www.squid-cache.org/Advisories/SQUID-2019_8.txt	x_refsource_CONFIRM
	https://bugzilla.suse.com/show_bug.cgi?id=1156329	x_refsource_CONFIRM
	https://usn.ubuntu.com/4213-1/	vendor-advisory, x_refsource_UBUNTU
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/	vendor-advisory, x_refsource_FEDORA
	https://www.debian.org/security/2020/dsa-4682	vendor-advisory, x_refsource_DEBIAN
	https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html	mailing-list, x_refsource_MLIST
	https://usn.ubuntu.com/4446-1/	vendor-advisory, x_refsource_UBUNTU

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T23:24:39.198Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.squid-cache.org/Advisories/SQUID-2019_8.txt"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156329"
          },
          {
            "name": "USN-4213-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4213-1/"
          },
          {
            "name": "FEDORA-2019-0b16cbdd0e",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/"
          },
          {
            "name": "FEDORA-2019-9538783033",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/"
          },
          {
            "name": "DSA-4682",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4682"
          },
          {
            "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html"
          },
          {
            "name": "USN-4446-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4446-1/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Squid before 4.9. When handling a URN request, a corresponding HTTP request is made. This HTTP request doesn\u0027t go through the access checks that incoming HTTP requests go through. This causes all access checks to be bypassed and allows access to restricted HTTP servers, e.g., an attacker can connect to HTTP servers that only listen on localhost."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-08-05T19:06:08",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.squid-cache.org/Advisories/SQUID-2019_8.txt"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156329"
        },
        {
          "name": "USN-4213-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4213-1/"
        },
        {
          "name": "FEDORA-2019-0b16cbdd0e",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/"
        },
        {
          "name": "FEDORA-2019-9538783033",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/"
        },
        {
          "name": "DSA-4682",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4682"
        },
        {
          "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html"
        },
        {
          "name": "USN-4446-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4446-1/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-12523",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Squid before 4.9. When handling a URN request, a corresponding HTTP request is made. This HTTP request doesn\u0027t go through the access checks that incoming HTTP requests go through. This causes all access checks to be bypassed and allows access to restricted HTTP servers, e.g., an attacker can connect to HTTP servers that only listen on localhost."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html",
              "refsource": "CONFIRM",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html"
            },
            {
              "name": "http://www.squid-cache.org/Advisories/SQUID-2019_8.txt",
              "refsource": "CONFIRM",
              "url": "http://www.squid-cache.org/Advisories/SQUID-2019_8.txt"
            },
            {
              "name": "https://bugzilla.suse.com/show_bug.cgi?id=1156329",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156329"
            },
            {
              "name": "USN-4213-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4213-1/"
            },
            {
              "name": "FEDORA-2019-0b16cbdd0e",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/"
            },
            {
              "name": "FEDORA-2019-9538783033",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/"
            },
            {
              "name": "DSA-4682",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2020/dsa-4682"
            },
            {
              "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html"
            },
            {
              "name": "USN-4446-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4446-1/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-12523",
    "datePublished": "2019-11-26T16:39:59",
    "dateReserved": "2019-06-02T00:00:00",
    "dateUpdated": "2024-08-04T23:24:39.198Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted