vulnerability
Red Hat: CVE-2019-12522: squid: lack of UID assignment in child process spawning could lead to privileges escalation
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:L/AC:M/Au:S/C:P/I:P/A:P) | Apr 15, 2020 | Jul 9, 2025 | Jul 10, 2025 |
Severity
4
CVSS
(AV:L/AC:M/Au:S/C:P/I:P/A:P)
Published
Apr 15, 2020
Added
Jul 9, 2025
Modified
Jul 10, 2025
Description
An issue was discovered in Squid through 4.7. When Squid is run as root, it spawns its child processes as a lesser user, by default the user nobody. This is done via the leave_suid call. leave_suid leaves the Saved UID as 0. This makes it trivial for an attacker who has compromised the child process to escalate their privileges back to root.
Solution
no-fix-redhat-rpm-package
References
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.