Who: More than 50% of 90,310 hosts exposing Tinyproxy services are vulnerable to a critical unpatched security flaw, tracked as CVE-2023-49606.
What: The flaw, described as a use-after-free bug by Cisco Talos, affects Tinyproxy versions 1.10.0 and 1.11.1. Exploiting it involves sending a specially crafted HTTP header, potentially leading to remote code execution.
Impact: Attackers could exploit this flaw to execute arbitrary code on vulnerable systems. The majority of affected hosts are in the U.S., South Korea, China, France, and Germany. Talos released a proof-of-concept, prompting Tinyproxy maintainers to address the issue. Users are urged to update to the latest version or apply patches immediately and avoid exposing Tinyproxy to the public internet.
Read the full article HERE