CVE-2019-12854

high-risk

Published 2019-08-15

Due to incorrect string termination, Squid cachemgr.cgi 4.0 through 4.7 may access unallocated memory. On systems with memory access protections, this can cause the CGI process to terminate unexpectedly, resulting in a denial of service for all clients using it.

Do I need to act?

44.5% chance of exploitation in next 30 days

EPSS score — higher than 56% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (9)

Squid

Debian Linux

Fedora

Ubuntu Linux

Leap

Affected Vendors

Debian Canonical Squid-Cache Fedoraproject Opensuse

References (18)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html

Vendor Advisory http://www.squid-cache.org/Advisories/SQUID-2019_1.txt

Patch http://www.squid-cache.org/Versions/v4/changesets/squid-4-2981a957716c61ff7e21ee...

Vendor Advisory https://bugs.squid-cache.org/show_bug.cgi?id=4937

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Mailing List https://seclists.org/bugtraq/2019/Aug/42

Third Party Advisory https://usn.ubuntu.com/4213-1/

Third Party Advisory https://www.debian.org/security/2019/dsa-4507