CVE-2019-18676

HIGH

Squid 3.x-4.x < 4.8 - Denial of Service via Crafted URI Scheme

Title source: llm
STIX 2.1

Description

An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incorrect input validation, there is a heap-based buffer overflow that can result in Denial of Service to all clients using the proxy. Severity is high due to this vulnerability occurring before normal security checks; any remote client that can reach the proxy port can trivially perform the attack via a crafted URI scheme.

References (10)

Core 10
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/squid-cache/squid/pull/275
Third Party Advisory x_refsource_confirm
http://www.squid-cache.org/Advisories/SQUID-2019_8.txt
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.suse.com/show_bug.cgi?id=1156329
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4213-1/
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4682
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4446-1/

Scores

CVSS v3 7.5
EPSS 0.0137
EPSS Percentile 80.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-787
Status published
Products (9)
canonical/ubuntu_linux 16.04 (2 CPE variants)
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 19.04
canonical/ubuntu_linux 19.10
debian/debian_linux 9.0
debian/debian_linux 10.0
fedoraproject/fedora 30
fedoraproject/fedora 31
squid-cache/squid 3.0 - 3.5.28
Published Nov 26, 2019
Tracked Since Feb 18, 2026