An issue was discovered in Squid 2.x, 3.x, and 4.x through 4.8. Due to incorrect data management, it is vulnerable to information disclosure when processing HTTP Digest Authentication. Nonce tokens contain the raw byte value of a pointer that sits within heap memory allocation. This information reduces ASLR protections and may aid attackers isolating memory areas to target for remote code execution attacks.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
21 Nov 2024, 04:33
Type | Values Removed | Values Added |
---|---|---|
References | () http://www.squid-cache.org/Advisories/SQUID-2019_11.txt - Third Party Advisory | |
References | () http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch - Release Notes | |
References | () https://bugzilla.suse.com/show_bug.cgi?id=1156324 - Issue Tracking, Third Party Advisory | |
References | () https://github.com/squid-cache/squid/pull/491 - Patch, Third Party Advisory | |
References | () https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html - Third Party Advisory | |
References | () https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html - | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/ - | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/ - | |
References | () https://security.gentoo.org/glsa/202003-34 - | |
References | () https://usn.ubuntu.com/4213-1/ - Third Party Advisory | |
References | () https://www.debian.org/security/2020/dsa-4682 - |
Information
Published : 2019-11-26 17:15
Updated : 2024-11-21 04:33
NVD link : CVE-2019-18679
Mitre link : CVE-2019-18679
CVE.ORG link : CVE-2019-18679
JSON object : View
Products Affected
squid-cache
- squid
canonical
- ubuntu_linux
fedoraproject
- fedora
debian
- debian_linux
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor