CVE-2023-49606

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-49606
A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
http://www.openwall.com/lists/oss-security/2024/05/07/1
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889
http://www.openwall.com/lists/oss-security/2024/05/07/1
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889
Configurations

No configuration.

History

21 Nov 2024, 08:33

Type Values Removed Values Added
References () http://www.openwall.com/lists/oss-security/2024/05/07/1 - () http://www.openwall.com/lists/oss-security/2024/05/07/1 -
References () https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889 - () https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889 -

07 May 2024, 12:15

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad de use-after-free en el análisis de los encabezados de conexión HTTP en Tinyproxy 1.11.1 y Tinyproxy 1.10.0. Un encabezado HTTP especialmente manipulado puede provocar la reutilización de la memoria previamente liberada, lo que provoca daños en la memoria y podría provocar la ejecución remota de código. Un atacante necesita realizar una solicitud HTTP no autenticada para activar esta vulnerabilidad.
References
  • () http://www.openwall.com/lists/oss-security/2024/05/07/1 -

01 May 2024, 19:50

Type Values Removed Values Added
New CVE
Information

Published : 2024-05-01 16:15

Updated : 2024-11-21 08:33

NVD link : CVE-2023-49606

Mitre link : CVE-2023-49606

CVE.ORG link : CVE-2023-49606

JSON object : View

Products Affected

No product.

CWE
CWE-416

Use After Free