{"id":"CVE-2019-12529","details":"An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. When Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode. uudecode determines how many bytes will be decoded by iterating over the input and checking its table. The length is then used to start decoding the string. There are no checks to ensure that the length it calculates isn't greater than the input buffer. This leads to adjacent memory being decoded as well. An attacker would not be able to retrieve the decoded data unless the Squid maintainer had configured the display of usernames on error pages.","modified":"2026-04-16T00:00:54.189213419Z","published":"2019-07-11T19:15:13.157Z","related":["ALSA-2020:4743","SUSE-SU-2019:2089-1","SUSE-SU-2019:2089-2","SUSE-SU-2019:2975-1","SUSE-SU-2020:14460-1","openSUSE-SU-2019:2540-1","openSUSE-SU-2019:2541-1","openSUSE-SU-2024:11403-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","extracted_events":[{"introduced":"2.0"},{"fixed":"2.7"}],"cpe":"cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"2.7-stable1"}],"cpe":"cpe:2.3:a:squid-cache:squid:2.7:stable1:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"2.7-stable2"}],"cpe":"cpe:2.3:a:squid-cache:squid:2.7:stable2:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"2.7-stable3"}],"cpe":"cpe:2.3:a:squid-cache:squid:2.7:stable3:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"2.7-stable4"}],"cpe":"cpe:2.3:a:squid-cache:squid:2.7:stable4:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"2.7-stable5"}],"cpe":"cpe:2.3:a:squid-cache:squid:2.7:stable5:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"2.7-stable6"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:squid-cache:squid:2.7:stable6:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"2.7-stable7"}],"cpe":"cpe:2.3:a:squid-cache:squid:2.7:stable7:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"2.7-stable8"}],"cpe":"cpe:2.3:a:squid-cache:squid:2.7:stable8:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"2.7-stable9"}],"cpe":"cpe:2.3:a:squid-cache:squid:2.7:stable9:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"12.04"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"16.04"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"18.04"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"19.04"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"10.0"}],"cpe":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"8.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"9.0"}],"cpe":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"29"}],"cpe":"cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"15.0"}],"cpe":"cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"15.1"}],"cpe":"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*"}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.html"},{"type":"ADVISORY","url":"http://www.squid-cache.org/Versions/v4/changesets/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/07/msg00018.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html"},{"type":"ADVISORY","url":"https://seclists.org/bugtraq/2019/Aug/42"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4065-1/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4065-2/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2019/dsa-4507"},{"type":"FIX","url":"http://www.squid-cache.org/Versions/v4/changesets/squid-4-dd46b5417809647f561d8a5e0e74c3aacd235258.patch"},{"type":"FIX","url":"https://github.com/squid-cache/squid/commits/v4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/squid-cache/squid","events":[{"introduced":"0"},{"last_affected":"6cfeb300caf423ff49a0511d8bd43a56f3418273"},{"last_affected":"2e17b02616d37206ba9cccc53c20667624fbef9f"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"3.0"},{"last_affected":"3.5.28"},{"introduced":"4.0"},{"last_affected":"4.7"}],"cpe":"cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*"}}],"versions":["HISTORIC_RELEASES","SQUID_3_0_PRE1","SQUID_3_0_PRE2","SQUID_3_0_PRE3","SQUID_3_0_PRE4","SQUID_3_0_PRE5","SQUID_3_0_PRE6","SQUID_3_0_PRE7","SQUID_3_0_RC1","SQUID_3_5_0_1","SQUID_3_5_0_2","SQUID_3_5_0_3","SQUID_3_5_0_4","SQUID_3_5_1","SQUID_3_5_10","SQUID_3_5_11","SQUID_3_5_12","SQUID_3_5_13","SQUID_3_5_14","SQUID_3_5_15","SQUID_3_5_16","SQUID_3_5_17","SQUID_3_5_18","SQUID_3_5_19","SQUID_3_5_2","SQUID_3_5_20","SQUID_3_5_21","SQUID_3_5_22","SQUID_3_5_23","SQUID_3_5_24","SQUID_3_5_25","SQUID_3_5_26","SQUID_3_5_28","SQUID_3_5_3","SQUID_3_5_4","SQUID_3_5_5","SQUID_3_5_6","SQUID_3_5_7","SQUID_3_5_8","SQUID_3_5_9","SQUID_4_0_1","SQUID_4_0_10","SQUID_4_0_11","SQUID_4_0_12","SQUID_4_0_13","SQUID_4_0_14","SQUID_4_0_15","SQUID_4_0_16","SQUID_4_0_17","SQUID_4_0_18","SQUID_4_0_19","SQUID_4_0_2","SQUID_4_0_20","SQUID_4_0_21","SQUID_4_0_22","SQUID_4_0_23","SQUID_4_0_24","SQUID_4_0_25","SQUID_4_0_3","SQUID_4_0_4","SQUID_4_0_5","SQUID_4_0_6","SQUID_4_0_7","SQUID_4_0_8","SQUID_4_0_9","SQUID_4_1","SQUID_4_2","SQUID_4_3","SQUID_4_4","SQUID_4_5","SQUID_4_6","SQUID_4_7","take00"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-12529.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}