CVE-2019-12520

squid: Improper input validation in request allows for proxy manipulation

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in Squid through 4.7 and 5. When receiving a request, Squid checks its cache to see if it can serve up a response. It does this by making a MD5 hash of the absolute URL of the request. If found, it servers the request. The absolute URL can include the decoded UserInfo (username and password) for certain protocols. This decoded info is prepended to the domain. This allows an attacker to provide a username that has special characters to delimit the domain, and treat the rest of the URL as a path or query string. An attacker could first make a request to their domain using an encoded username, then when a request for the target domain comes in that decodes to the exact URL, it will serve the attacker's HTML instead of the real HTML. On Squid servers that also act as reverse proxies, this allows an attacker to gain access to features that only reverse proxies can use, such as ESI.

Se descubrió un problema en Squid versiones hasta 4.7 y 5. Cuando se recibe una petición, Squid comprueba su memoria caché para visualizar si puede servir una respuesta. Lo hace al realizar un hash MD5 de la URL absoluta de la petición. Si se encuentra, sirve la petición. La URL absoluta puede incluir la UserInfo decodificada (nombre de usuario y contraseña) para determinados protocolos. Esta información decodificada se antepone al dominio. Esto permite a un atacante proporcionar un nombre de usuario que tenga caracteres especiales para delimitar el dominio y tratar el resto de la URL como una ruta o cadena de consulta. Un atacante podría primero hacer una petición a su dominio usando un nombre de usuario codificado, luego, cuando llega una petición para el dominio objetivo que decodifica a la URL exacta, servirá el HTML del atacante en lugar del HTML real. En los servidores de Squid que también actúan como proxies inversos, esto permite a un atacante conseguir acceso a funcionalidades que solo los proxies inversos pueden utilizar, tal y como ESI.

A flaw was found in squid. The absolute URL of a request can include the decoded UserInfo (username and password) for certain protocols. This decoded info may contain special characters to delimit the domain, and treat the rest of the URL as a path or query string. An attacker could first make a request to their domain using an encoded username, then when a request for the target domain comes in that decodes to the exact URL, it will serve the attacker's HTML instead of the real HTML. On Squid servers that also act as reverse proxies, this allows an attacker to gain access to features that only reverse proxies can use, such as ESI.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-06-02 CVE Reserved
2020-04-15 CVE Published
2024-08-04 CVE Updated
2024-08-09 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (10)

URL	Tag	Source
https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12520.txt	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html	Mailing List
https://security.netapp.com/advisory/ntap-20210205-0006	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/squid-cache/squid/commits/v4	2021-02-11

URL	Date	SRC
http://www.squid-cache.org/Versions/v4	2021-02-11
http://www.squid-cache.org/Versions/v4/changesets	2021-02-11
https://usn.ubuntu.com/4446-1	2021-02-11
https://www.debian.org/security/2020/dsa-4682	2021-02-11
https://access.redhat.com/security/cve/CVE-2019-12520	2020-11-04
https://bugzilla.redhat.com/show_bug.cgi?id=1827558	2020-11-04

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Squid-cache Search vendor "Squid-cache"		Squid Search vendor "Squid-cache" for product "Squid"				<= 4.7 Search vendor "Squid-cache" for product "Squid" and version " <= 4.7"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"		lts		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected