CVE-2019-18277 – haproxy: HTTP request smuggling issue with transfer-encoding header containing an obfuscated "chunked" value
https://notcve.org/view.php?id=CVE-2019-18277
A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the "chunked" value were not being correctly rejected. The impact was limited but if combined with the "http-reuse always" setting, it could be used to help construct an HTTP request smuggling attack against a vulnerable component employing a lenient parser that would ignore the content-length header as soon as it saw a transfer-encoding one (even if not entirely valid according to the specification). Se encontró un fallo en HAProxy versiones anteriores a 2.0.6. En el modo legacy, los mensajes caracterizados por un encabezado de codificación de transferencia que no tenía el valor "chunked" no habían sido rechazados correctamente. • http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00016.html http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00019.html https://git.haproxy.org/?p=haproxy-2.0.git%3Ba=commit%3Bh=196a7df44d8129d1adc795da020b722614d6a581 https://lists.debian.org/debian-lts-announce/2022/05/msg00045.html https://nathandavison.com/blog/haproxy-http-request-smuggling https://usn.ubuntu.com/4174-1 https://www.mail-archive.com/haproxy%40formilux.org/msg34926.html https://access.redhat.com/sec • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVE-2019-14241
https://notcve.org/view.php?id=CVE-2019-14241
HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) via vectors related to htx_manage_client_side_cookies in proto_htx.c. HAProxy hasta versión 2.0.2, permite a los atacantes causar una denegación de servicio (ha_panic) por medio de vectores relacionados con la función htx_manage_client_side_cookies en el archivo proto_htx.c. • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00060.html http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00062.html http://www.securityfocus.com/bid/109352 https://github.com/haproxy/haproxy/issues/181 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2019-8953 – pfSense 2.4.4-p1 (HAProxy Package 0.59_14) - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-8953
The HAProxy package before 0.59_16 for pfSense has XSS via the desc (aka Description) or table_actionsaclN parameter, related to haproxy_listeners.php and haproxy_listeners_edit.php. El paquete HAProxy, en versiones anteriores a la 0.59_16 para pfSense, tiene Cross-Site Scripting (XSS) mediante los parámetros desc (también conocido como Description) o table_actionsaclN, relacionados con haproxy_listeners.php y haproxy_listeners_edit.php. pfSense version 2.4.4-p1 with HAProxy Package version 0.59_14 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/46538 https://cxsecurity.com/issue/WLB-2019020153 https://github.com/pfsense/FreeBSD-ports/commit/2dded47b3202dfdf89aa96f84bf701b3d5acbe6c https://github.com/pfsense/FreeBSD-ports/commit/3b40366aca55910b224ecf49d3fdacc9ad6c04f5 https://redmine.pfsense.org/issues/9335 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-20615 – haproxy: Mishandling of priority flag in short HEADERS frame by HTTP/2 decoder allows for crash
https://notcve.org/view.php?id=CVE-2018-20615
An out-of-bounds read issue was discovered in the HTTP/2 protocol decoder in HAProxy 1.8.x and 1.9.x through 1.9.0 which can result in a crash. The processing of the PRIORITY flag in a HEADERS frame requires 5 extra bytes, and while these bytes are skipped, the total frame length was not re-checked to make sure they were present in the frame. Se ha descubierto un problema de lectura fuera de límites en el decodificador del protocolo HTTP/2 en HAProxy, en versiones 1.8.x y 1.9.x hasta la 1.9.0, lo que puede resultar en un cierre inesperado. El procesamiento del flag PRIORITY en un frame HEADERS requiere 5 bytes adicionales y, aunque se omiten estos bytes, la longitud total del frame no se volvió a comprobar para asegurar que estaban presentes en la trama. A flaw was found in HAProxy, versions before 1.8.17 and 1.9.1. • http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00018.html http://www.securityfocus.com/bid/106645 https://access.redhat.com/errata/RHBA-2019:0327 https://access.redhat.com/errata/RHSA-2019:0275 https://usn.ubuntu.com/3858-1 https://www.mail-archive.com/haproxy%40formilux.org/msg32304.html https://access.redhat.com/security/cve/CVE-2018-20615 https://bugzilla.redhat.com/show_bug.cgi?id=1663060 • CWE-125: Out-of-bounds Read •
CVE-2018-20102 – haproxy: Out-of-bounds read in dns.c:dns_validate_dns_response() allows for memory disclosure
https://notcve.org/view.php?id=CVE-2018-20102
An out-of-bounds read in dns_validate_dns_response in dns.c was discovered in HAProxy through 1.8.14. Due to a missing check when validating DNS responses, remote attackers might be able read the 16 bytes corresponding to an AAAA record from the non-initialized part of the buffer, possibly accessing anything that was left on the stack, or even past the end of the 8193-byte buffer, depending on the value of accepted_payload_size. Se ha descubierto una lectura fuera de límites en dns_validate_dns_response en dns.c en HAProxy hasta la versión 1.8.14. Debido a la falta de una comprobación al validar respuestas DNS, los atacantes remotos pueden leer los 16 bits que corresponden a un registro AAAA de la parte no inicializada del búfer, pudiendo acceder a cualquier cosa que haya quedado en la pila, o incluso más allá del final del búfer de 8193 bytes, dependiendo del valor de accepted_payload_size. • http://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=efbbdf72992cd20458259962346044cafd9331c0 http://www.securityfocus.com/bid/106223 https://access.redhat.com/errata/RHBA-2019:0326 https://access.redhat.com/errata/RHBA-2019:0327 https://access.redhat.com/errata/RHSA-2019:1436 https://lists.debian.org/debian-lts-announce/2022/05/msg00045.html https://usn.ubuntu.com/3858-1 https://access.redhat.com/security/cve/CVE-2018-20102 https://bugzilla.redhat.com/show_bug.cgi?id=1658874 • CWE-125: Out-of-bounds Read •