rpm package
opensuse/tinyproxy&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/tinyproxy&distro=openSUSE%20Tumbleweed
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-54388 | — | < 1.11.3-3.1 | 1.11.3-3.1 | Jun 17, 2026 | Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all duplicate headers to the backend while using the first value to determine how many request body bytes to consume. Remote at | ||
| CVE-2026-54387 | — | < 1.11.3-3.1 | 1.11.3-3.1 | Jun 17, 2026 | Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length to determine how many request body bytes to consume. Remote attackers can de | ||
| CVE-2026-55202 | — | < 1.11.3-3.1 | 1.11.3-3.1 | Jun 17, 2026 | Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can | ||
| CVE-2026-3945 | — | < 1.11.3-2.1 | 1.11.3-2.1 | Mar 30, 2026 | An integer overflow vulnerability in the HTTP chunked transfer encoding parser in tinyproxy up to and including version 1.11.3 allows an unauthenticated remote attacker to cause a denial of service (DoS). The issue occurs because chunk size values are parsed using strtol() withou | ||
| CVE-2023-49606 | — | < 1.11.2-1.1 | 1.11.2-1.1 | May 1, 2024 | A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attack | ||
| CVE-2022-40468 | — | < 1.11.1-2.1 | 1.11.1-2.1 | Sep 19, 2022 | Potential leak of left-over heap data if custom error page templates containing special non-standard variables are used. Tinyproxy commit 84f203f and earlier use uninitialized buffers in process_request() function. | ||
| CVE-2017-11747 | Med | 5.5 | < 1.11.0-1.3 | 1.11.0-1.3 | Jul 30, 2017 | main.c in Tinyproxy 1.8.4 and earlier creates a /run/tinyproxy/tinyproxy.pid file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for tinyproxy.pid modification before a root | |
| CVE-2012-3505 | — | < 1.8.4-1.8 | 1.8.4-1.8 | Oct 9, 2012 | Tinyproxy 1.8.3 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via (1) a large number of headers or (2) a large number of forged headers that trigger hash collisions predictably. bucket. |
- CVE-2026-54388Jun 17, 2026affected < 1.11.3-3.1fixed 1.11.3-3.1
Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all duplicate headers to the backend while using the first value to determine how many request body bytes to consume. Remote at
- CVE-2026-54387Jun 17, 2026affected < 1.11.3-3.1fixed 1.11.3-3.1
Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length to determine how many request body bytes to consume. Remote attackers can de
- CVE-2026-55202Jun 17, 2026affected < 1.11.3-3.1fixed 1.11.3-3.1
Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can
- CVE-2026-3945Mar 30, 2026affected < 1.11.3-2.1fixed 1.11.3-2.1
An integer overflow vulnerability in the HTTP chunked transfer encoding parser in tinyproxy up to and including version 1.11.3 allows an unauthenticated remote attacker to cause a denial of service (DoS). The issue occurs because chunk size values are parsed using strtol() withou
- CVE-2023-49606May 1, 2024affected < 1.11.2-1.1fixed 1.11.2-1.1
A use-after-free vulnerability exists in the HTTP Connection Headers parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attack
- CVE-2022-40468Sep 19, 2022affected < 1.11.1-2.1fixed 1.11.1-2.1
Potential leak of left-over heap data if custom error page templates containing special non-standard variables are used. Tinyproxy commit 84f203f and earlier use uninitialized buffers in process_request() function.
- affected < 1.11.0-1.3fixed 1.11.0-1.3
main.c in Tinyproxy 1.8.4 and earlier creates a /run/tinyproxy/tinyproxy.pid file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for tinyproxy.pid modification before a root
- CVE-2012-3505Oct 9, 2012affected < 1.8.4-1.8fixed 1.8.4-1.8
Tinyproxy 1.8.3 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via (1) a large number of headers or (2) a large number of forged headers that trigger hash collisions predictably. bucket.