CVE-2022-40468

Name
CVE-2022-40468
Description
Potential leak of left-over heap data if custom error page templates containing special non-standard variables are used. Tinyproxy commit 84f203f and earlier use uninitialized buffers in process_request() function.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/tinyproxy/tinyproxy
MISC https://github.com/tinyproxy/tinyproxy/issues/457
MISC https://github.com/tinyproxy/tinyproxy/blob/84f203fb1c4733608c7283bbe794005a469c4b00/src/reqs.c#L346
MISC https://github.com/tinyproxy/tinyproxy/issues/457#issuecomment-1264176815
GENTOO https://security.gentoo.org/glsa/202305-27

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:tinyproxy_project:tinyproxy:*:*:*:*:*:*:*:* tinyproxy >= None < 2022-09-08
cpe:2.3:a:tinyproxy_project:tinyproxy:*:*:*:*:*:*:*:* tinyproxy >= None <= 1.11.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
tinyproxy 3.15-main 1.11.0-r0 Michael Mason <ms13sp@gmail.com> possibly vulnerable
tinyproxy 3.14-main 1.11.0-r0 Michael Mason <ms13sp@gmail.com> possibly vulnerable
tinyproxy 3.13-main 1.10.0-r3 Michael Mason <ms13sp@gmail.com> possibly vulnerable
tinyproxy edge-main 1.11.2-r0 Michael Mason <ms13sp@gmail.com> fixed
tinyproxy 3.19-main 1.11.2-r0 Michael Mason <ms13sp@gmail.com> fixed
tinyproxy 3.18-main 1.11.2-r0 Michael Mason <ms13sp@gmail.com> fixed
tinyproxy 3.17-main 1.11.2-r0 Michael Mason <ms13sp@gmail.com> fixed
tinyproxy 3.16-main 1.11.2-r0 Michael Mason <ms13sp@gmail.com> fixed
tinyproxy 3.20-main 1.11.2-r0 Michael Mason <ms13sp@gmail.com> fixed