PT-2020-5765 · Squid+8 · Squid+9

Jeriko One

Published

2019-07-15

Updated

2022-08-19

CVE-2019-12521

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions: Squid versions through 4.7

Description: An issue was discovered in Squid when parsing ESI. The ESIContext contains a buffer for holding a stack of ESIElements. When a new ESIElement is parsed, it is added via the addStackElement function. However, addStackElement has a check for the number of elements in this buffer that is off by 1, leading to a Heap Overflow of 1 element. The overflow is within the same structure, so it cannot affect adjacent memory blocks, and thus just leads to a crash while processing. This can be exploited by a remote attacker to cause a denial of service.

Recommendations: For Squid versions through 4.7, update to a version that fixes this issue to prevent a potential crash while processing ESI elements. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-787CWE-193

Related Identifiers

ALSA-2020:4743

ALT-PU-2019-2264

ALT-PU-2019-2271

ALT-PU-2020-3140

ALT-PU-2020-3142

BDU:2021-01724

CESA-2020_4743

CVE-2019-12521

DLA-2278-1

DSA-4682-1

OESA-2022-1851

OPENSUSE-SU-2020:0623-1

OPENSUSE-SU-2020_0623-1

RHSA-2020:4743

RHSA-2020_4743

RLSA-2020:4743

SUSE-SU-2020:1134-1

SUSE-SU-2020:1156-1

SUSE-SU-2020:1227-1

SUSE-SU-2020:14460-1

USN-4356-1

Affected Products

Alt Linux

Almalinux

Centos

Linuxmint

Red Hat

Rocky Linux

Squid

Squid Cache

Suse

Ubuntu

PT-2020-5765 · Squid+8 · Squid+9

CVE-2019-12521

Weakness Enumeration

Related Identifiers

Affected Products

References · 123