CVE-2019-18277 – haproxy: HTTP request smuggling issue with transfer-encoding header containing an obfuscated "chunked" value
https://notcve.org/view.php?id=CVE-2019-18277
A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the "chunked" value were not being correctly rejected. The impact was limited but if combined with the "http-reuse always" setting, it could be used to help construct an HTTP request smuggling attack against a vulnerable component employing a lenient parser that would ignore the content-length header as soon as it saw a transfer-encoding one (even if not entirely valid according to the specification). Se encontró un fallo en HAProxy versiones anteriores a 2.0.6. En el modo legacy, los mensajes caracterizados por un encabezado de codificación de transferencia que no tenía el valor "chunked" no habían sido rechazados correctamente. • http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00016.html http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00019.html https://git.haproxy.org/?p=haproxy-2.0.git%3Ba=commit%3Bh=196a7df44d8129d1adc795da020b722614d6a581 https://lists.debian.org/debian-lts-announce/2022/05/msg00045.html https://nathandavison.com/blog/haproxy-http-request-smuggling https://usn.ubuntu.com/4174-1 https://www.mail-archive.com/haproxy%40formilux.org/msg34926.html https://access.redhat.com/sec • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVE-2019-14241
https://notcve.org/view.php?id=CVE-2019-14241
HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) via vectors related to htx_manage_client_side_cookies in proto_htx.c. HAProxy hasta versión 2.0.2, permite a los atacantes causar una denegación de servicio (ha_panic) por medio de vectores relacionados con la función htx_manage_client_side_cookies en el archivo proto_htx.c. • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00060.html http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00062.html http://www.securityfocus.com/bid/109352 https://github.com/haproxy/haproxy/issues/181 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2018-20615 – haproxy: Mishandling of priority flag in short HEADERS frame by HTTP/2 decoder allows for crash
https://notcve.org/view.php?id=CVE-2018-20615
An out-of-bounds read issue was discovered in the HTTP/2 protocol decoder in HAProxy 1.8.x and 1.9.x through 1.9.0 which can result in a crash. The processing of the PRIORITY flag in a HEADERS frame requires 5 extra bytes, and while these bytes are skipped, the total frame length was not re-checked to make sure they were present in the frame. Se ha descubierto un problema de lectura fuera de límites en el decodificador del protocolo HTTP/2 en HAProxy, en versiones 1.8.x y 1.9.x hasta la 1.9.0, lo que puede resultar en un cierre inesperado. El procesamiento del flag PRIORITY en un frame HEADERS requiere 5 bytes adicionales y, aunque se omiten estos bytes, la longitud total del frame no se volvió a comprobar para asegurar que estaban presentes en la trama. A flaw was found in HAProxy, versions before 1.8.17 and 1.9.1. • http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00018.html http://www.securityfocus.com/bid/106645 https://access.redhat.com/errata/RHBA-2019:0327 https://access.redhat.com/errata/RHSA-2019:0275 https://usn.ubuntu.com/3858-1 https://www.mail-archive.com/haproxy%40formilux.org/msg32304.html https://access.redhat.com/security/cve/CVE-2018-20615 https://bugzilla.redhat.com/show_bug.cgi?id=1663060 • CWE-125: Out-of-bounds Read •
CVE-2018-20102 – haproxy: Out-of-bounds read in dns.c:dns_validate_dns_response() allows for memory disclosure
https://notcve.org/view.php?id=CVE-2018-20102
An out-of-bounds read in dns_validate_dns_response in dns.c was discovered in HAProxy through 1.8.14. Due to a missing check when validating DNS responses, remote attackers might be able read the 16 bytes corresponding to an AAAA record from the non-initialized part of the buffer, possibly accessing anything that was left on the stack, or even past the end of the 8193-byte buffer, depending on the value of accepted_payload_size. Se ha descubierto una lectura fuera de límites en dns_validate_dns_response en dns.c en HAProxy hasta la versión 1.8.14. Debido a la falta de una comprobación al validar respuestas DNS, los atacantes remotos pueden leer los 16 bits que corresponden a un registro AAAA de la parte no inicializada del búfer, pudiendo acceder a cualquier cosa que haya quedado en la pila, o incluso más allá del final del búfer de 8193 bytes, dependiendo del valor de accepted_payload_size. • http://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=efbbdf72992cd20458259962346044cafd9331c0 http://www.securityfocus.com/bid/106223 https://access.redhat.com/errata/RHBA-2019:0326 https://access.redhat.com/errata/RHBA-2019:0327 https://access.redhat.com/errata/RHSA-2019:1436 https://lists.debian.org/debian-lts-announce/2022/05/msg00045.html https://usn.ubuntu.com/3858-1 https://access.redhat.com/security/cve/CVE-2018-20102 https://bugzilla.redhat.com/show_bug.cgi?id=1658874 • CWE-125: Out-of-bounds Read •
CVE-2018-20103 – haproxy: Infinite recursion via crafted packet allows stack exhaustion and denial of service
https://notcve.org/view.php?id=CVE-2018-20103
An issue was discovered in dns.c in HAProxy through 1.8.14. In the case of a compressed pointer, a crafted packet can trigger infinite recursion by making the pointer point to itself, or create a long chain of valid pointers resulting in stack exhaustion. Se ha descubierto un problema en dns.c en HAProxy hasta la versión 1.8.14. En el caso de un puntero comprimido, un paquete manipulado puede desencadenar una recursión infinita haciendo que el puntero se señale a sí mismo o cree una cadena larga de punteros válidos, lo que resulta en el agotamiento de la pila. • http://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=58df5aea0a0c926b2238f65908f5e9f83d1cca25 http://www.securityfocus.com/bid/106280 https://access.redhat.com/errata/RHBA-2019:0326 https://access.redhat.com/errata/RHBA-2019:0327 https://access.redhat.com/errata/RHSA-2019:1436 https://lists.debian.org/debian-lts-announce/2022/05/msg00045.html https://usn.ubuntu.com/3858-1 https://access.redhat.com/security/cve/CVE-2018-20103 https://bugzilla.redhat.com/show_bug.cgi?id=1658876 • CWE-400: Uncontrolled Resource Consumption CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •