2278272 – (CVE-2023-40533) CVE-2023-40533 tinyproxy: HTTP request parsing uninitialized memory

Bug 2278272 (CVE-2023-40533) - CVE-2023-40533 tinyproxy: HTTP request parsing uninitialized memory

Summary: CVE-2023-40533 tinyproxy: HTTP request parsing uninitialized memory

Keywords:
Status:	NEW
Alias:	CVE-2023-40533
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2278273 2278274
Blocks:
TreeView+	depends on / blocked

Reported:	2024-05-01 18:36 UTC by Robb Gatica
Modified:	2024-05-01 18:36 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Robb Gatica 2024-05-01 18:36:19 UTC

An uninitialized memory use vulnerability exists in Tinyproxy 1.11.1 while parsing HTTP requests. In certain configurations, a specially crafted HTTP request can result in disclosure of data allocated on the heap, which could contain sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1902

Comment 1 Robb Gatica 2024-05-01 18:36:34 UTC

Created tinyproxy tracking bugs for this issue:

Affects: epel-all [bug 2278273]
Affects: fedora-all [bug 2278274]

Note You need to log in before you can comment on or make changes to this bug.