Vulnerability CVE-2023-49606: Information

Description

A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.

Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-49606
Published: May 1, 2024
Modified: May 7, 2024
Error type identifier: CWE-416

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
tinyproxysisyphus1.11.1-alt21.11.1-alt2ALT-PU-2024-7546-2347660Fixed
tinyproxysisyphus_e2k1.11.1-alt21.11.1-alt2ALT-PU-2024-7612-1-Fixed
tinyproxysisyphus_loongarch641.11.1-alt21.11.1-alt2ALT-PU-2024-7624-1-Fixed
tinyproxyp111.11.1-alt21.11.1-alt2ALT-PU-2024-7546-2347660Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889
    http://www.openwall.com/lists/oss-security/2024/05/07/1
      VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
      Version: v24.5.3
      Back to top