Bugzilla – Bug 1223743
VUL-0: CVE-2023-40533: tinyproxy: uninitialized memory use could result in certain configuration in sensitive information disclosure via crafted HTTP request
Last modified: 2024-05-10 16:05:23 UTC
An uninitialized memory use vulnerability exists in Tinyproxy 1.11.1 while parsing HTTP requests. In certain configurations, a specially crafted HTTP request can result in disclosure of data allocated on the heap, which could contain sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-40533 https://www.cve.org/CVERecord?id=CVE-2023-40533 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1902
Seems a duplicate of CVE-2022-40468: https://github.com/tinyproxy/tinyproxy/issues/457 Initialization of variables was added via: https://github.com/tinyproxy/tinyproxy/commit/3764b8551463b900b5b4e3ec0cd9bb9182191cb7 Tracking as affected: - openSUSE:Backports:SLE-15-SP5/tinyproxy
This is an autogenerated message for OBS integration: This bug (1223743) was mentioned in https://build.opensuse.org/request/show/1172808 15.5 / tinyproxy
This is an autogenerated message for OBS integration: This bug (1223743) was mentioned in https://build.opensuse.org/request/show/1172919 Backports:SLE-15-SP6 / tinyproxy https://build.opensuse.org/request/show/1172920 Backports:SLE-15-SP5 / tinyproxy
openSUSE-SU-2024:0119-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1200028,1203553,1223743,1223746 CVE References: CVE-2012-3505,CVE-2017-11747,CVE-2022-40468,CVE-2023-40533,CVE-2023-49606 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): tinyproxy-1.11.2-bp155.3.3.1