Vulnerability Details : CVE-2019-18679
An issue was discovered in Squid 2.x, 3.x, and 4.x through 4.8. Due to incorrect data management, it is vulnerable to information disclosure when processing HTTP Digest Authentication. Nonce tokens contain the raw byte value of a pointer that sits within heap memory allocation. This information reduces ASLR protections and may aid attackers isolating memory areas to target for remote code execution attacks.
Vulnerability category: Execute codeInformation leak
Products affected by CVE-2019-18679
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
- cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
- cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
- cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
- cpe:2.3:a:squid-cache:squid:2.7:stable4:*:*:*:*:*:*
- cpe:2.3:a:squid-cache:squid:2.7:stable3:*:*:*:*:*:*
- cpe:2.3:a:squid-cache:squid:2.7:stable2:*:*:*:*:*:*
- cpe:2.3:a:squid-cache:squid:2.7:stable5:*:*:*:*:*:*
- cpe:2.3:a:squid-cache:squid:2.7:stable6:*:*:*:*:*:*
- cpe:2.3:a:squid-cache:squid:2.7:stable7:*:*:*:*:*:*
- cpe:2.3:a:squid-cache:squid:2.7:stable8:*:*:*:*:*:*
- cpe:2.3:a:squid-cache:squid:2.7:stable9:*:*:*:*:*:*
Threat overview for CVE-2019-18679
Top countries where our scanners detected CVE-2019-18679
Top open port discovered on systems with this issue
3128
IPs affected by CVE-2019-18679 2,558,260
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2019-18679!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2019-18679
7.24%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 94 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-18679
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-18679
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-18679
-
https://bugzilla.suse.com/show_bug.cgi?id=1156324
Bug 1156324 – VUL-0: CVE-2019-18679: squid,squid3: information disclosure when processing HTTP Digest AuthenticationIssue Tracking;Third Party Advisory
-
https://usn.ubuntu.com/4213-1/
USN-4213-1: Squid vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://www.debian.org/security/2020/dsa-4682
Debian -- Security Information -- DSA-4682-1 squid
-
http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch
Release Notes
-
https://security.gentoo.org/glsa/202003-34
Squid: Multiple vulnerabilities (GLSA 202003-34) — Gentoo security
-
https://github.com/squid-cache/squid/pull/491
Hash Digest noncedata by squidcontrib · Pull Request #491 · squid-cache/squid · GitHubPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/
[SECURITY] Fedora 31 Update: squid-4.9-2.fc31 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
http://www.squid-cache.org/Advisories/SQUID-2019_11.txt
Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html
[SECURITY] [DLA 2028-1] squid3 security updateThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html
[SECURITY] [DLA 2278-1] squid3 security update
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/
[SECURITY] Fedora 30 Update: squid-4.9-2.fc30 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
Jump to