CVE-2019-12522

An issue was discovered in Squid through 4.7. When Squid is run as root, it spawns its child processes as a lesser user, by default the user nobody. This is done via the leave_suid call. leave_suid leaves the Saved UID as 0. This makes it trivial for an attacker who has compromised the child process to escalate their privileges back to root.

CVSS v3 4.5 MEDIUM
CVSS v2.0 4.4 MEDIUM

4.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.0 / Impact : 3.4

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

4.4^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 3.4 / Impact : 6.4

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12522.txt	Third Party Advisory
https://security.netapp.com/advisory/ntap-20210205-0006/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*

History

10 Mar 2021, 17:27

Type	Values Removed	Values Added
CVSS	v2 : ~~10.0~~ v3 : ~~9.8~~	v2 : 4.4 v3 : 4.5

11 Feb 2021, 14:45

Type	Values Removed	Values Added
References	~~(CONFIRM) https://security.netapp.com/advisory/ntap-20210205-0006/ -~~	(CONFIRM) https://security.netapp.com/advisory/ntap-20210205-0006/ - Third Party Advisory

05 Feb 2021, 14:15

Type	Values Removed	Values Added
References		(CONFIRM) https://security.netapp.com/advisory/ntap-20210205-0006/ -

Information

Published : 2020-04-15 19:15

Updated : 2023-12-10 13:27

NVD link : CVE-2019-12522

Mitre link : CVE-2019-12522

CVE.ORG link : CVE-2019-12522

JSON object : View

Products Affected

squid-cache

squid

CWE

CWE-269

Improper Privilege Management

{"id": "CVE-2019-12522", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.4, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.0}]}, "published": "2020-04-15T19:15:12.473", "references": [{"url": "https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12522.txt", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://security.netapp.com/advisory/ntap-20210205-0006/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Squid through 4.7. When Squid is run as root, it spawns its child processes as a lesser user, by default the user nobody. This is done via the leave_suid call. leave_suid leaves the Saved UID as 0. This makes it trivial for an attacker who has compromised the child process to escalate their privileges back to root."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Squid versiones hasta 4.7. Cuando Squid se ejecuta como root, genera sus procesos hijos como un usuario menor, por defecto el usuario nobody. Esto se realiza por medio de la llamada de leave_suid. leave_suid deja el UID Guardado como 0. Esto hace que sea trivial para un atacante que ha comprometido el proceso hijo escalar sus privilegios de nuevo a root."}], "lastModified": "2021-03-10T17:27:49.417", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A5584C95-5CB1-4D45-8C05-633746AE2AB4", "versionEndIncluding": "4.7"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}