Cisco Talos reports two memory safety vulnerabilities in tinyproxy, a small HTTP
proxy server, in versions prior to 1.11.2 (not yet released). Quotes from the
two advisories below.
First advisory <https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889>:
CVE-2023-49606
A use-after-free vulnerability exists in the HTTP Connection Headers parsing
in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can
trigger reuse of previously freed memory, which leads to memory corruption and
could lead to remote code execution. An attacker needs to make an
unauthenticated HTTP request to trigger this vulnerability.
9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:Hv
Second advisory <https://talosintelligence.com/vulnerability_reports/TALOS-2023-1902>:
CVE-2023-40533
An uninitialized memory use vulnerability exists in Tinyproxy 1.11.1 while
parsing HTTP requests. In certain configurations, a specially crafted HTTP
request can result in disclosure of data allocated on the heap, which could
contain sensitive information. An attacker can make an unauthenticated HTTP
request to trigger this vulnerability.
5.9 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Upstream has an issue open at
<https://github.com/tinyproxy/tinyproxy/issues/533>. Talos claims to have
contacted them in December 2023, but according to the developer there was no
contact before the above advisories were released. The developer also disputes
the veracity of CVE-2023-40533. Whatever the case,
<https://github.com/tinyproxy/tinyproxy/commit/12a8484265f7b00591293da492bb3c9987001956>
is the official fix for CVE-2023-49606.
-Valtteri