CVE-2019-12524

Name of the Vulnerable Software and Affected Versions Squid versions through 4.7

Description An issue was discovered in Squid when handling requests from users. Squid checks its rules to see if the request should be denied, and by default, it comes with rules to block access to the Cache Manager, which serves detailed server information meant for the maintainer. This rule is implemented via url regex. The handler for url regex rules URL decodes an incoming request, allowing an attacker to encode their URL to bypass the url regex check and gain access to the blocked resource. The vulnerability is related to the lack of an authentication mechanism for url regex.

Recommendations For Squid versions through 4.7, consider disabling the url regex handler until a patch is available to prevent attackers from bypassing the url regex check. Restrict access to the Cache Manager to minimize the risk of exploitation. Avoid using the url regex rule to block access to sensitive resources until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.