Detections
Analytics

Alpine: multiple squid packages: security update to 4.8-r0

critical Tenable Cloud Security Plugin ID 424552

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

 - An issue was discovered in Squid 3.3.9 through 3.5.28 and 4.x through 4.7. When Squid is configured to use
 Digest authentication, it parses the header Proxy-Authorization. It searches for certain tokens such as
 domain, uri, and qop. Squid checks if this token's value starts with a quote and ends with one. If so, it
 performs a memcpy of its length minus 2. Squid never checks whether the value is just a single quote
 (which would satisfy its requirements), leading to a memcpy of its length minus 1. (CVE-2019-12525)

 - An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. When
 Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode.
 uudecode determines how many bytes will be decoded by iterating over the input and checking its table. The
 length is then used to start decoding the string. There are no checks to ensure that the length it
 calculates isn't greater than the input buffer. This leads to adjacent memory being decoded as well. An
 attacker would not be able to retrieve the decoded data unless the Squid maintainer had configured the
 display of usernames on error pages. (CVE-2019-12529)

 - The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter.
 (CVE-2019-13345)

See Also

https://security.alpinelinux.org/vuln/CVE-2019-12525

https://security.alpinelinux.org/vuln/CVE-2019-12529

https://security.alpinelinux.org/vuln/CVE-2019-13345

Plugin Details

Severity: Critical

ID: 424552

Version: Revision 1.7

Type: Local

Published: 4/4/2025

Updated: 5/31/2025

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-12525

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 5/27/2019

Reference Information

CVE: CVE-2019-12525, CVE-2019-12529, CVE-2019-13345

BID: 109382, 109095