CVE-2019-12528: 
Squid vulnerability analysis and mitigation

An information disclosure vulnerability (CVE-2019-12528) was discovered in Squid versions before 4.10. The vulnerability affects the FTP gateway functionality of Squid, a high-performance proxy caching server for Web clients (NVD, Squid Advisory).

The vulnerability stems from incorrect data management when translating FTP server listings into HTTP responses. When Squid's mempools feature is enabled, the information leak is limited to lines in FTP directory listings, possibly exposing data from other clients. When mempools is disabled, the leaked information may include any content from the heap area, including information from other processes on the machine (Squid Advisory).

A crafted FTP server can trigger disclosure of sensitive information from heap memory, such as information associated with other users' sessions or non-Squid processes. The vulnerability has a CVSS 3.1 Base Score of 7.5 (High), with high confidentiality impact but no impact on integrity or availability (Ubuntu).

The vulnerability was fixed in Squid version 4.10. For systems unable to upgrade immediately, workarounds include disabling FTP features by removing 'acl Safe_ports 21' and adding 'acl FTP proto FTP' and 'http_access deny FTP' to squid.conf. Alternatively, to reduce information leakage while retaining FTP features, ensure 'memory_pools off' is not present in the configuration (Squid Advisory).