Improper Privilege Management Affecting squid package, versions *


Severity

Recommended
low

Based on Debian security rating.

Threat Intelligence

EPSS
0.04% (15th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Privilege Management vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DEBIAN13-SQUID-5695484
  • published3 Aug 2020
  • disclosed15 Apr 2020

Introduced: 15 Apr 2020

CVE-2019-12522  (opens in a new tab)
CWE-269  (opens in a new tab)

How to fix?

There is no fixed version for Debian:13 squid.

NVD Description

Note: Versions mentioned in the description apply only to the upstream squid package and not the squid package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

An issue was discovered in Squid through 4.7. When Squid is run as root, it spawns its child processes as a lesser user, by default the user nobody. This is done via the leave_suid call. leave_suid leaves the Saved UID as 0. This makes it trivial for an attacker who has compromised the child process to escalate their privileges back to root.

CVSS Scores

version 3.1