CVE-2021-40346 – haproxy: request smuggling attack or response splitting via duplicate content-length header
https://notcve.org/view.php?id=CVE-2021-40346
An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs. Se presenta un desbordamiento de enteros en HAProxy versiones 2.0 a 2.5, en la función htx_add_header() que puede ser explotada para llevar a cabo un ataque de contrabando de peticiones HTTP, permitiendo a un atacante omitir todas las ACLs configuradas de HAProxy de peticiones http y posiblemente otras ACLs Proxy server haproxy has a flaw that can could allow an HTTP request smuggling attack with the goal of bypassing access-control list rules defined by haproxy. The attack was made possible by utilizing an integer overflow vulnerability that allowed reaching an unexpected state in haproxy while parsing an HTTP request. The highest threat from this vulnerability is integrity. • https://github.com/knqyf263/CVE-2021-40346 https://github.com/donky16/CVE-2021-40346-POC https://github.com/alikarimi999/CVE-2021-40346 https://github.com/alexOarga/CVE-2021-40346 https://git.haproxy.org/?p=haproxy.git https://github.com/haproxy/haproxy/commit/3b69886f7dcc3cfb3d166309018e6cfec9ce2c95 https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflow-enables-http-smuggling https://lists.apache.org/thread.html/r284567dd7523f5823e2ce995f787ccd37b1cc4108779c50a97c79120%40%3Cdev.cloudstac • CWE-190: Integer Overflow or Wraparound CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVE-2021-39240 – haproxy: does not ensure that the scheme and path portions of a URI have the expected characters
https://notcve.org/view.php?id=CVE-2021-39240
An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It does not ensure that the scheme and path portions of a URI have the expected characters. For example, the authority field (as observed on a target HTTP/2 server) might differ from what the routing rules were intended to achieve. Se ha detectado un problema en HAProxy versiones 2.2 anteriores a 2.2.16, versiones 2.3 anteriores a 2.3.13 y versiones 2.4 anteriores a 2.4.3. No se asegura que las porciones de esquema y ruta de un URI tengan los caracteres esperados. • https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=4b8852c70d8c4b7e225e24eb58258a15eb54c26e https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=a495e0d94876c9d39763db319f609351907a31e8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ALECUZDIMT5FYGP6V6PVSI4BKVZTZWN https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RPNY4WZIQUAUOCLIMUPC37AQWNXTWIQM https://www.debian.org/security/2021/dsa-4960 https://www.mail-archive.com/haproxy%40formilux.org/msg41041 • CWE-20: Improper Input Validation •
CVE-2021-39241 – haproxy: an HTTP method name may contain a space followed by the name of a protected resource
https://notcve.org/view.php?id=CVE-2021-39241
An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. An HTTP method name may contain a space followed by the name of a protected resource. It is possible that a server would interpret this as a request for that protected resource, such as in the "GET /admin? HTTP/1.1 /static/images HTTP/1.1" example. Se ha detectado un problema en HAProxy versiones 2.0 anteriores a 2.0.24, versiones 2.2 anteriores a 2.2.16, versiones 2.3 anteriores a 2.3.13 y versiones 2.4 anteriores a 2.4.3. • https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=89265224d314a056d77d974284802c1b8a0dc97f https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ALECUZDIMT5FYGP6V6PVSI4BKVZTZWN https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RPNY4WZIQUAUOCLIMUPC37AQWNXTWIQM https://www.debian.org/security/2021/dsa-4960 https://www.mail-archive.com/haproxy%40formilux.org/msg41041.html https://access.redhat.com/security/cve/CVE-2021-39241 https://bugzilla.redha • CWE-20: Improper Input Validation •
CVE-2021-39242 – haproxy: it can lead to a situation with an attacker-controlled HTTP Host header because a mismatch between Host and authority is mishandled
https://notcve.org/view.php?id=CVE-2021-39242
An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead to a situation with an attacker-controlled HTTP Host header, because a mismatch between Host and authority is mishandled. Se ha detectado un problema en HAProxy versiones 2.2 anteriores a 2.2.16, versiones 2.3 anteriores a 2.3.13 y versiones 2.4 anteriores a 2.4.3. Puede conllevar a una situación con un encabezado HTTP Host controlada por un atacante, porque es manejado inapropiadamente un desajuste entre Host y autoridad. haproxy was found to be vulnerable to HTTP host header attack: This problem creates a scenario in which it's possible to drop the Host header and use the authority only after forwarding to a second http2 layer, possibly causing two differing values of Host at a different stage. The highest threat from this vulnerability is data integrity. • https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=b5d2b9e154d78e4075db163826c5e0f6d31b2ab1 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ALECUZDIMT5FYGP6V6PVSI4BKVZTZWN https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RPNY4WZIQUAUOCLIMUPC37AQWNXTWIQM https://www.debian.org/security/2021/dsa-4960 https://www.mail-archive.com/haproxy%40formilux.org/msg41041.html https://access.redhat.com/security/cve/CVE-2021-39242 https://bugzilla.redha • CWE-20: Improper Input Validation CWE-755: Improper Handling of Exceptional Conditions •