CVE-2020-11100 – haproxy: malformed HTTP/2 requests can lead to out-of-bounds writes
https://notcve.org/view.php?id=CVE-2020-11100
In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution. En la función hpack_dht_insert en el archivo hpack-tbl.c en el decodificador HPACK en HAProxy versiones 1.8 hasta 2.x anteriores a 2.1.4, un atacante remoto puede escribir bytes arbitrarios alrededor de una determinada ubicación en la pila (heap) por medio de una petición HTTP/2 diseñada, causando posiblemente una ejecución de código remoto. A flaw was found in the way HAProxy processed certain HTTP/2 request packets. This flaw allows an attacker to send crafted HTTP/2 request packets, which cause memory corruption, leading to a crash or potential remote arbitrary code execution with the permissions of the user running HAProxy. The haproxy hpack implementation in hpack-tbl.c handles 0-length HTTP headers incorrectly. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00002.html http://packetstormsecurity.com/files/157323/haproxy-hpack-tbl.c-Out-Of-Bounds-Write.html http://www.haproxy.org https://bugzilla.redhat.com/show_bug.cgi?id=1819111 https://bugzilla.suse.com/show_bug.cgi?id=1168023 https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=5dfc5d5cd0d2128d77253ead3acf03a421ab5b88 https://lists.debian.org/debian-security-announce/2020/msg00052.html https://lists.fedoraproject.org/archives/list/packag • CWE-787: Out-of-bounds Write •
CVE-2019-19330 – haproxy: HTTP/2 implementation vulnerable to intermediary encapsulation attacks
https://notcve.org/view.php?id=CVE-2019-19330
The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0), aka Intermediary Encapsulation Attacks. La implementación de HTTP/2 en HAProxy versiones anteriores a la versión 2.0.10, maneja inapropiadamente los encabezados, como es demostrado por el retorno de carro (CR, ASCII 0xd), salto de línea (LF, ASCII 0xa) y el carácter cero (NUL, ASCII 0x0), también se conoce como Ataques de Encapsulación Intermedia . • https://git.haproxy.org/?p=haproxy-2.0.git%3Ba=commit%3Bh=ac198b92d461515551b95daae20954b3053ce87e https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=146f53ae7e97dbfe496d0445c2802dd0a30b0878 https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=54f53ef7ce4102be596130b44c768d1818570344 https://seclists.org/bugtraq/2019/Nov/45 https://security.gentoo.org/glsa/202004-01 https://tools.ietf.org/html/rfc7540#section-10.3 https://usn.ubuntu.com/4212-1 https://www.debian.org/security/2019/dsa-4577 https • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2019-18277 – haproxy: HTTP request smuggling issue with transfer-encoding header containing an obfuscated "chunked" value
https://notcve.org/view.php?id=CVE-2019-18277
A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the "chunked" value were not being correctly rejected. The impact was limited but if combined with the "http-reuse always" setting, it could be used to help construct an HTTP request smuggling attack against a vulnerable component employing a lenient parser that would ignore the content-length header as soon as it saw a transfer-encoding one (even if not entirely valid according to the specification). Se encontró un fallo en HAProxy versiones anteriores a 2.0.6. En el modo legacy, los mensajes caracterizados por un encabezado de codificación de transferencia que no tenía el valor "chunked" no habían sido rechazados correctamente. • http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00016.html http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00019.html https://git.haproxy.org/?p=haproxy-2.0.git%3Ba=commit%3Bh=196a7df44d8129d1adc795da020b722614d6a581 https://lists.debian.org/debian-lts-announce/2022/05/msg00045.html https://nathandavison.com/blog/haproxy-http-request-smuggling https://usn.ubuntu.com/4174-1 https://www.mail-archive.com/haproxy%40formilux.org/msg34926.html https://access.redhat.com/sec • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVE-2019-14241
https://notcve.org/view.php?id=CVE-2019-14241
HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) via vectors related to htx_manage_client_side_cookies in proto_htx.c. HAProxy hasta versión 2.0.2, permite a los atacantes causar una denegación de servicio (ha_panic) por medio de vectores relacionados con la función htx_manage_client_side_cookies en el archivo proto_htx.c. • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00060.html http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00062.html http://www.securityfocus.com/bid/109352 https://github.com/haproxy/haproxy/issues/181 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •