CVE-2023-49606
published 2024-05-01CVE-2023-49606: A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
63.08%
99.1th percentile
A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | tinyproxy | < tinyproxy 1.11.1-2.1+deb12u1 (bookworm) | tinyproxy 1.11.1-2.1+deb12u1 (bookworm) |
| tinyproxy | tinyproxy | — | — |
| tinyproxy | tinyproxy | — | — |
| tinyproxy | tinyproxy | >= 0 < 1.10.0-5+deb11u1 | 1.10.0-5+deb11u1 |
| tinyproxy | tinyproxy | >= 0 < 1.11.1-2.1+deb12u1 | 1.11.1-2.1+deb12u1 |
| tinyproxy | tinyproxy | >= 0 < 1.11.1-4 | 1.11.1-4 |
| tinyproxy | tinyproxy | >= 0 < 1.11.1-4 | 1.11.1-4 |
| tinyproxy_project | tinyproxy | — | — |
| tinyproxy_project | tinyproxy | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered via the HTTP `Connection` header (and `Proxy-Connection` header) in unauthenticated requests to Tinyproxy; look for malformed header values such as 'Connection: Connection' in HTTP proxy traffic. ↗
- →Snort rule sets from Snort.org cover exploitation of CVE-2023-49606; download the latest rule sets for detection coverage. ↗
- →Exploitation does not require authentication; any unauthenticated HTTP request with a crafted Connection header to a Tinyproxy listener should be treated as suspicious. ↗
- →Vulnerable Tinyproxy versions are 1.11.1 and 1.10.0; internet-exposed instances on these versions should be prioritized for detection and patching. ↗
- ·The security fix (commit 12a8484) is included in the upcoming version 1.11.2; users can pull from the master branch or manually apply the fix as an interim measure. ↗
- ·The vulnerability's exploitability may be reduced in environments using authentication or access control lists, as the updated code only triggers after passing those checks. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2023-49606: A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1
osv·2024-05-01·CVSS 9.8
CVE-2023-49606 [CRITICAL] CVE-2023-49606: A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1
A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.
GHSA
GHSA-w78j-vw2g-233v: A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1
ghsa_unreviewed·2024-05-01
CVE-2023-49606 [CRITICAL] CWE-416 GHSA-w78j-vw2g-233v: A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1
A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.
VulnCheck
tinyproxy_project tinyproxy Use After Free
vulncheck·2023·CVSS 9.8
CVE-2023-49606 [CRITICAL] tinyproxy_project tinyproxy Use After Free
tinyproxy_project tinyproxy Use After Free
A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.
Affected: tinyproxy_project tinyproxy
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2023-49606&date=2026-04-06
Ubuntu
Tinyproxy vulnerability
vendor_ubuntu·2025-01-08
CVE-2023-49606 Tinyproxy vulnerability
Title: Tinyproxy vulnerability
Summary: Tinyproxy could be made to crash or run programs if it received specially
crafted input.
It was discovered that Tinyproxy did not properly manage memory during the
parsing of HTTP connection headers. An attacker could use this issue to
cause a DoS or possibly execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2023-49606: tinyproxy - A use-after-free vulnerability exists in the HTTP Connection Headers parsing in ...
vendor_debian·2023·CVSS 9.8
CVE-2023-49606 [CRITICAL] CVE-2023-49606: tinyproxy - A use-after-free vulnerability exists in the HTTP Connection Headers parsing in ...
A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.
Scope: local
bookworm: resolved (fixed in 1.11.1-2.1+deb12u1)
bullseye: resolved (fixed in 1.10.0-5+deb11u1)
forky: resolved (fixed in 1.11.1-4)
sid: resolved (fixed in 1.11.1-4)
trixie: resolved (fixed in 1.11.1-4)
No detection rules found.
No public exploits indexed.
Talos
A new alert system from CISA seems to be effective — now we just need companies to sign up
blogs_talos·2024-05-09
A new alert system from CISA seems to be effective — now we just need companies to sign up
## A new alert system from CISA seems to be effective — now we just need companies to sign up
One of the great cybersecurity challenges organizations currently face, especially smaller ones, is that they don’t know what they don’t know.
It’s tough to have your eyes on everything all the time, especially with so many pieces of software running and IoT devices extending the reach of networks broader than ever.
One potential (and free!) solution seems to be a new program from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) that alerts companies and organizations of unpatched vulnerabilities that attackers could exploit.
Under a pilot program that’s been running since January 2023, CISA has sent out more than 2,000 alerts to registered organizations regarding the existence
Talos
A new alert system from CISA seems to be effective — now we just need companies to sign up
blogs_talos·2024-05-09
A new alert system from CISA seems to be effective — now we just need companies to sign up
One of the great cybersecurity challenges organizations currently face, especially smaller ones, is that they don’t know what they don’t know.
It’s tough to have your eyes on everything all the time, especially with so many pieces of software running and IoT devices extending the reach of networks broader than ever.
One potential (and free!) solution seems to be a new program from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) that alerts companies and organizations of unpatched vulnerabilities that attackers could exploit.
Under a pilot program that’s been running since January 2023, CISA has sent out more than 2,000 alerts to registered organizations regarding the existence of any unpatched vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog. For
Talos
Talos discloses multiple zero-day vulnerabilities, two of which could lead to code execution
blogs_talos·2024-05-08·CVSS 8.8
[HIGH] Talos discloses multiple zero-day vulnerabilities, two of which could lead to code execution
Cisco Talos’ Vulnerability Research team recently disclosed three zero-day vulnerabilities that are still unpatched as of Wednesday, May 8.
Two vulnerabilities in this group — one in the Tinyroxy HTTP proxy daemon and another in the stb_vorbis.c file library — could lead to arbitrary code execution, earning both issues a CVSS score of 9.8 out of 10. While we were unable to reach the maintainers, the Tinyroxy maintainers have since patched the issue.
Another zero-day exists in the Milesight UR32L wireless router.
These vulnerabilities have all been disclosed in adherence to Cisco’s third-party vulnerability disclosure timeline after the associated vendors did not meet the 90-day deadline for a patch or communication.
For Snort coverage that can detect the exploitation of these vulnerabi
Talos
Talos discloses multiple zero-day vulnerabilities, two of which could lead to code execution
blogs_talos·2024-05-08·CVSS 9.8
[CRITICAL] Talos discloses multiple zero-day vulnerabilities, two of which could lead to code execution
## Talos discloses multiple zero-day vulnerabilities, two of which could lead to code execution
Cisco Talos’ Vulnerability Research team recently disclosed three zero-day vulnerabilities that are still unpatched as of Wednesday, May 8.
Two vulnerabilities in this group — one in the Tinyroxy HTTP proxy daemon and another in the stb_vorbis.c file library — could lead to arbitrary code execution, earning both issues a CVSS score of 9.8 out of 10. While we were unable to reach the maintainers, the Tinyroxy maintainers have since patched the issue.
Another zero-day exists in the Milesight UR32L wireless router.
These vulnerabilities have all been disclosed in adherence to Cisco’s third-party vulnerability disclosure timeline after the associated vendors did not meet the 90-day deadline for
Bleepingcomputer
Over 50,000 Tinyproxy servers vulnerable to critical RCE flaw
blogs_bleepingcomputer·2024-05-07·CVSS 9.8
CVE-2023-49606 [CRITICAL] Over 50,000 Tinyproxy servers vulnerable to critical RCE flaw
## Over 50,000 Tinyproxy servers vulnerable to critical RCE flaw
## Bill Toulas
Nearly 52,000 internet-exposed Tinyproxy instances are vulnerable to CVE-2023-49606, a recently disclosed critical remote code execution (RCE) flaw.
Tinyproxy is an open-source HTTP and HTTPS proxy server designed to be fast, small, and lightweight. It is specifically tailored for UNIX-like operating systems and is commonly used by small businesses, public WiFi providers, and home users.
At the start of the month, Cisco Talos disclosed CVE-2023-49606 , a critical (CVSS v3: 9.8) use-after-free flaw the researchers discovered in December 2023, impacting versions 1.11.1 (latest) and 1.10.0, after claiming to not receiving a response from the developers.
Cisco's report shared detailed information about the vul
Greynoiseio
NoiseLetter May 2024
blogs_greynoiseio
NoiseLetter May 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://www.openwall.com/lists/oss-security/2024/05/07/1https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889http://www.openwall.com/lists/oss-security/2024/05/07/1https://lists.debian.org/debian-lts-announce/2024/09/msg00035.htmlhttps://talosintelligence.com/vulnerability_reports/TALOS-2023-1889https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1889
2024-05-01
Published
Exploited in the wild