CVE-2023-49606 — tinyproxy - security update

Description

A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.

How to fix CVE-2023-49606

To remediate CVE-2023-49606, upgrade the affected package to a fixed version below.

—upgrade to 1.11.2-r0 or later
—upgrade to 1.10.0-5+deb11u1 or later
—upgrade to 1.11.1-2.1+deb12u1 or later

Is CVE-2023-49606 being exploited?

Likely — EPSS is 79.6%, placing CVE-2023-49606 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (3)

from 0, < 1.11.2-r0
from 0, < 1.10.0-5+deb11u1
from 0, < 1.11.1-2.1+deb12u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2023-49606
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-49606