CVE-2019-12529

Name of the Vulnerable Software and Affected Versions Squid versions 2.x through 2.7.STABLE9 Squid versions 3.x through 3.5.28 Squid versions 4.x through 4.7

Description The issue is related to the lack of protection for service data in the Squid proxy server. When Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode. The uudecode function determines the number of bytes to be decoded by iterating over the input and checking its table. However, there are no checks to ensure that the calculated length is not greater than the input buffer, leading to adjacent memory being decoded as well. An attacker would not be able to retrieve the decoded data unless the Squid maintainer had configured the display of usernames on error pages.

Recommendations For Squid versions 2.x through 2.7.STABLE9, consider disabling the use of Basic Authentication until a patch is available. For Squid versions 3.x through 3.5.28, consider disabling the use of Basic Authentication until a patch is available. For Squid versions 4.x through 4.7, consider disabling the use of Basic Authentication until a patch is available. As a temporary workaround, consider restricting access to the Proxy-Authorization header to minimize the risk of exploitation.