You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0), aka Intermediary Encapsulation Attacks.
HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.
In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution.
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead to a situation with an attacker-controlled HTTP Host header, because a mismatch between Host and authority is mishandled.
An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It does not ensure that the scheme and path portions of a URI have the expected characters. For example, the authority field (as observed on a target HTTP/2 server) might differ from what the routing rules were intended to achieve.
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.
HAProxy before 1.9.7 mishandles a reload with rotated keys, which triggers use of uninitialized, and very predictable, HMAC keys. This is related to an include/types/ssl_sock.h error.
An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. An HTTP method name may contain a space followed by the name of a protected resource. It is possible that a server would interpret this as a request for that protected resource, such as in the "GET /admin? HTTP/1.1 /static/images HTTP/1.1" example.
mend-for-github-combot
changed the title
haproxy-1.9v1.9.1: 8 vulnerabilities (highest severity is: 9.8)
haproxy-1.9v1.9.1: 9 vulnerabilities (highest severity is: 9.8)
Nov 29, 2023
Mirror of http://git.haproxy.org/git/haproxy-1.9.git
Library home page: https://github.com/cloudant/haproxy-1.9.git
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - haproxy-1.9v1.9.1
Mirror of http://git.haproxy.org/git/haproxy-1.9.git
Library home page: https://github.com/cloudant/haproxy-1.9.git
Found in base branch: main
Vulnerable Source Files (1)
Vulnerability Details
The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0), aka Intermediary Encapsulation Attacks.
Publish Date: 2019-11-27
URL: CVE-2019-19330
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19330
Release Date: 2020-04-01
Fix Resolution: v2.0.10
Vulnerable Libraries - haproxy-1.9v1.9.1, haproxy-1.9v1.9.1
Vulnerability Details
HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.
Publish Date: 2023-02-14
URL: CVE-2023-25725
CVSS 3 Score Details (9.1)
Base Score Metrics:
Vulnerable Library - haproxy-1.9v1.9.1
Mirror of http://git.haproxy.org/git/haproxy-1.9.git
Library home page: https://github.com/cloudant/haproxy-1.9.git
Found in base branch: main
Vulnerable Source Files (1)
Vulnerability Details
In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution.
Publish Date: 2020-04-02
URL: CVE-2020-11100
CVSS 3 Score Details (8.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-11100
Release Date: 2020-04-02
Fix Resolution: haproxy-debugsource - 1.8.15-5,1.8.15-6;haproxy-debuginfo - 1.8.15-5,1.8.15-6;haproxy - 1.8.15-5,1.8.15-6,1.8.15-5,1.8.15-5,1.8.15-6,1.8.15-6,1.8.15-6,1.8.15-6
Vulnerable Library - haproxy-1.9v1.9.1
Mirror of http://git.haproxy.org/git/haproxy-1.9.git
Library home page: https://github.com/cloudant/haproxy-1.9.git
Found in base branch: main
Vulnerable Source Files (1)
Vulnerability Details
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
Publish Date: 2023-11-28
URL: CVE-2023-45539
CVSS 3 Score Details (8.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-45539
Release Date: 2023-11-28
Fix Resolution: v2.8.2
Vulnerable Library - haproxy-1.9v1.9.1
Mirror of http://git.haproxy.org/git/haproxy-1.9.git
Library home page: https://github.com/cloudant/haproxy-1.9.git
Found in base branch: main
Vulnerable Source Files (1)
Vulnerability Details
An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead to a situation with an attacker-controlled HTTP Host header, because a mismatch between Host and authority is mishandled.
Publish Date: 2021-08-17
URL: CVE-2021-39242
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-39242
Release Date: 2021-08-17
Fix Resolution: haproxy - 2.2.16-1,2.2.9-2+deb11u1
Vulnerable Library - haproxy-1.9v1.9.1
Mirror of http://git.haproxy.org/git/haproxy-1.9.git
Library home page: https://github.com/cloudant/haproxy-1.9.git
Found in base branch: main
Vulnerable Source Files (1)
Vulnerability Details
An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It does not ensure that the scheme and path portions of a URI have the expected characters. For example, the authority field (as observed on a target HTTP/2 server) might differ from what the routing rules were intended to achieve.
Publish Date: 2021-08-17
URL: CVE-2021-39240
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-39240
Release Date: 2021-08-17
Fix Resolution: haproxy - 2.2.16-1,2.2.9-2+deb11u1
Vulnerable Libraries - haproxy-1.9v1.9.1, haproxy-1.9v1.9.1
Vulnerability Details
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.
Publish Date: 2023-08-10
URL: CVE-2023-40225
CVSS 3 Score Details (7.2)
Base Score Metrics:
Vulnerable Library - haproxy-1.9v1.9.1
Mirror of http://git.haproxy.org/git/haproxy-1.9.git
Library home page: https://github.com/cloudant/haproxy-1.9.git
Found in base branch: main
Vulnerable Source Files (1)
Vulnerability Details
HAProxy before 1.9.7 mishandles a reload with rotated keys, which triggers use of uninitialized, and very predictable, HMAC keys. This is related to an include/types/ssl_sock.h error.
Publish Date: 2019-05-09
URL: CVE-2019-11323
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11323
Release Date: 2019-05-09
Fix Resolution: v1.9.7
Vulnerable Library - haproxy-1.9v1.9.1
Mirror of http://git.haproxy.org/git/haproxy-1.9.git
Library home page: https://github.com/cloudant/haproxy-1.9.git
Found in base branch: main
Vulnerable Source Files (1)
Vulnerability Details
An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. An HTTP method name may contain a space followed by the name of a protected resource. It is possible that a server would interpret this as a request for that protected resource, such as in the "GET /admin? HTTP/1.1 /static/images HTTP/1.1" example.
Publish Date: 2021-08-17
URL: CVE-2021-39241
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-39241
Release Date: 2021-08-17
Fix Resolution: haproxy - 2.2.16-1,2.2.9-2+deb11u1
The text was updated successfully, but these errors were encountered: