CVE-2019-12524

Name: CVE-2019-12524
Creator: NVD / NIST
Published: 2020-04-15T19:15:12.533+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 4.15%

Last modified Jun 17, 2026

CVE-2019-12524 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. EPSS estimates a 4.15% chance of exploitation in the next 30 days.

Description

An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the maintainer. This rule is implemented via url_regex. The handler for url_regex rules URL decodes an incoming request. This allows an attacker to encode their URL to bypass the url_regex check, and gain access to the blocked resource.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

4.15%

89.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-306

Affected Software

Vendor	Product	Versions
Squid-Cache	Squid	<= 4.7
Debian	Debian Linux	9.0
Debian	Debian Linux	10.0
Canonical	Ubuntu Linux	16.04
Canonical	Ubuntu Linux	18.04

References

https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12524.txtThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.htmlMailing List, Third Party Advisory
https://security.netapp.com/advisory/ntap-20210205-0006/Third Party Advisory
https://usn.ubuntu.com/4446-1/Third Party Advisory
https://www.debian.org/security/2020/dsa-4682Third Party Advisory
https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12524.txtThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.htmlMailing List, Third Party Advisory
https://security.netapp.com/advisory/ntap-20210205-0006/Third Party Advisory
https://usn.ubuntu.com/4446-1/Third Party Advisory
https://www.debian.org/security/2020/dsa-4682Third Party Advisory

Timeline

Published: Apr 15, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-12524?

How severe is CVE-2019-12524?

CVE-2019-12524 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 4.15% probability of exploitation in the next 30 days.

How do I fix CVE-2019-12524?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-12524?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST