Configuration in tinyproxy and Debian Linux - CVE-2011-1499
Published: April 30, 2011 / Updated: August 11, 2020
Vulnerability identifier: #VU45103
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2011-1499
CWE-ID: CWE-16
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: tinyproxy
Debian
Debian
Affected software:
tinyproxy
Debian Linux
tinyproxy
Debian Linux
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to manipulate data.
acl.c in Tinyproxy before 1.8.3, when an Allow configuration setting specifies a CIDR block, permits TCP connections from all IP addresses, which makes it easier for remote attackers to hide the origin of web traffic by leveraging the open HTTP proxy server.
How to mitigate CVE-2011-1499
Install update from vendor's website.
Sources
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=621493
- http://openwall.com/lists/oss-security/2011/04/07/9
- http://openwall.com/lists/oss-security/2011/04/08/3
- http://secunia.com/advisories/44274
- http://www.debian.org/security/2011/dsa-2222
- https://banu.com/bugzilla/show_bug.cgi?id=90
- https://banu.com/cgit/tinyproxy/diff/?id=e8426f6662dc467bd1d827100481b95d9a4a23e4
- https://bugzilla.redhat.com/show_bug.cgi?id=694658
- https://exchange.xforce.ibmcloud.com/vulnerabilities/67256