cbcvebase.
CVE-2023-49606
published 2024-05-01

CVE-2023-49606: A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
63.08%
99.1th percentile
A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiantinyproxy< tinyproxy 1.11.1-2.1+deb12u1 (bookworm)tinyproxy 1.11.1-2.1+deb12u1 (bookworm)
tinyproxytinyproxy
tinyproxytinyproxy
tinyproxytinyproxy>= 0 < 1.10.0-5+deb11u11.10.0-5+deb11u1
tinyproxytinyproxy>= 0 < 1.11.1-2.1+deb12u11.11.1-2.1+deb12u1
tinyproxytinyproxy>= 0 < 1.11.1-41.11.1-4
tinyproxytinyproxy>= 0 < 1.11.1-41.11.1-4
tinyproxy_projecttinyproxy
tinyproxy_projecttinyproxy

Detection & IOCsextracted from sources · hover to see the quote

otherConnection: Connection
otherremove_connection_headers()
  • The vulnerability is triggered via the HTTP `Connection` header (and `Proxy-Connection` header) in unauthenticated requests to Tinyproxy; look for malformed header values such as 'Connection: Connection' in HTTP proxy traffic.
  • Snort rule sets from Snort.org cover exploitation of CVE-2023-49606; download the latest rule sets for detection coverage.
  • Exploitation does not require authentication; any unauthenticated HTTP request with a crafted Connection header to a Tinyproxy listener should be treated as suspicious.
  • Vulnerable Tinyproxy versions are 1.11.1 and 1.10.0; internet-exposed instances on these versions should be prioritized for detection and patching.
  • ·The security fix (commit 12a8484) is included in the upcoming version 1.11.2; users can pull from the master branch or manually apply the fix as an interim measure.
  • ·The vulnerability's exploitability may be reduced in environments using authentication or access control lists, as the updated code only triggers after passing those checks.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.