CVE-2018-14645 – haproxy: Out-of-bounds read in HPACK decoder
https://notcve.org/view.php?id=CVE-2018-14645
A flaw was discovered in the HPACK decoder of HAProxy, before 1.8.14, that is used for HTTP/2. An out-of-bounds read access in hpack_valid_idx() resulted in a remote crash and denial of service. Se ha descubierto un fallo en el descodificador HPACK de HAProxy en versiones anteriores a la 1.8.14 que se utiliza para HTTP/2. Un acceso de lectura fuera de límites en hpack_vallid_idx() resultó en un cierre inesperado remoto y una denegación de servicio (DoS). A flaw was discovered in the HPACK decoder of haproxy, before 1.8.14, that is used for HTTP/2. • https://access.redhat.com/errata/RHBA-2019:0028 https://access.redhat.com/errata/RHSA-2018:2882 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14645 https://usn.ubuntu.com/3780-1 https://www.mail-archive.com/haproxy%40formilux.org/msg31253.html https://access.redhat.com/security/cve/CVE-2018-14645 https://bugzilla.redhat.com/show_bug.cgi?id=1630048 • CWE-125: Out-of-bounds Read •
CVE-2018-11469 – haproxy: Information disclosure in check_request_for_cacheability function in proto_http.c
https://notcve.org/view.php?id=CVE-2018-11469
Incorrect caching of responses to requests including an Authorization header in HAProxy 1.8.0 through 1.8.9 (if cache enabled) allows attackers to achieve information disclosure via an unauthenticated remote request, related to the proto_http.c check_request_for_cacheability function. El cacheado incorrecto de respuestas a peticiones que incluyen una cabecera Authorization en HAProxy, de la versión 1.8.0 hasta la 1.8.9 (si cache está habilitado) permite que los atacantes logren la divulgación de información mediante una petición remota no autenticada. Esto está relacionado con la función check_request_for_cacheability en proto_http.c. • http://www.securityfocus.com/bid/104347 https://access.redhat.com/errata/RHSA-2019:1436 https://git.haproxy.org/?p=haproxy-1.8.git%3Ba=commit%3Bh=17514045e5d934dede62116216c1b016fe23dd06 https://usn.ubuntu.com/3663-1 https://access.redhat.com/security/cve/CVE-2018-11469 https://bugzilla.redhat.com/show_bug.cgi?id=1582635 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2018-10184 – haproxy: Heap buffer overflow in mux_h2.c:h2_process_demux() can allow attackers to cause a denial of service
https://notcve.org/view.php?id=CVE-2018-10184
An issue was discovered in HAProxy before 1.8.8. The incoming H2 frame length was checked against the max_frame_size setting instead of being checked against the bufsize. The max_frame_size only applies to outgoing traffic and not to incoming, so if a large enough frame size is advertised in the SETTINGS frame, a wrapped frame will be defragmented into a temporary allocated buffer where the second fragment may overflow the heap by up to 16 kB. It is very unlikely that this can be exploited for code execution given that buffers are very short lived and their addresses not realistically predictable in production, but the likelihood of an immediate crash is absolutely certain. Se ha descubierto un problema en versiones anteriores a la 1.8.8 de HAProxy. • http://git.haproxy.org/?p=haproxy-1.8.git%3Ba=commit%3Bh=cd117685f0cff4f2f5577ef6a21eaae96ebd9f28 http://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=3f0e1ec70173593f4c2b3681b26c04a4ed5fc588 https://access.redhat.com/errata/RHSA-2018:1372 https://access.redhat.com/security/cve/CVE-2018-10184 https://bugzilla.redhat.com/show_bug.cgi?id=1569297 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •