Launchpad.net

CVE 2019-12523

An issue was discovered in Squid before 4.9. When handling a URN request, a corresponding HTTP request is made. This HTTP request doesn't go through the access checks that incoming HTTP requests go through. This causes all access checks to be bypassed and allows access to restricted HTTP servers, e.g., an attacker can connect to HTTP servers that only listen on localhost.

Related bugs and status

CVE-2019-12523 (Candidate) is related to these bugs:

Bug #1890265: BUG: Version 3.5.27-1ubuntu1.7 breaks config using icap

		In	Importance	Status
1890265	BUG: Version 3.5.27-1ubuntu1.7 breaks config using icap	squid3 (Ubuntu)	Undecided	Fix Released
1890265	BUG: Version 3.5.27-1ubuntu1.7 breaks config using icap	squid3 (Ubuntu Bionic)	High	Fix Released
1890265	BUG: Version 3.5.27-1ubuntu1.7 breaks config using icap	squid3 (Debian)	Unknown	Fix Released
1890265	BUG: Version 3.5.27-1ubuntu1.7 breaks config using icap	squid3 (Ubuntu Xenial)	High	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2019-12523

Related bugs and status

Related bugs

References