DEBIAN-CVE-2019-12524

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2019-12524
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2019-12524.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2019-12524
Upstream
Published
2020-04-15T19:15:12Z
Modified
2025-09-19T06:07:45Z
Summary
[none]
Details

An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the maintainer. This rule is implemented via urlregex. The handler for urlregex rules URL decodes an incoming request. This allows an attacker to encode their URL to bypass the url_regex check, and gain access to the blocked resource.

References

Affected packages

Debian:11 / squid

Package

Name
squid
Purl
pkg:deb/debian/squid?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.8-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / squid

Package

Name
squid
Purl
pkg:deb/debian/squid?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.8-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / squid

Package

Name
squid
Purl
pkg:deb/debian/squid?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.8-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / squid

Package

Name
squid
Purl
pkg:deb/debian/squid?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.8-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}