CVE-2017-11747

Published: Jul 30, 2017Modified: May 13, 2026

5.5

Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

main.c in Tinyproxy 1.8.4 and earlier creates a /run/tinyproxy/tinyproxy.pid file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for tinyproxy.pid modification before a root script executes a "kill `cat /run/tinyproxy/tinyproxy.pid`" command.

Affected (1)

Products: Tinyproxy Project: Tinyproxy

Tinyproxy Project

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Tinyproxy Project Tinyproxy	Up to 1.8.4

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (4)

https://github.com/tinyproxy/tinyproxy/issues/106

Source: cve@mitre.org

Issue TrackingPatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2020/03/msg00037.html

Source: cve@mitre.org

https://github.com/tinyproxy/tinyproxy/issues/106

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2020/03/msg00037.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.