CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-45539 – haproxy: untrimmed URI fragments may lead to exposure of confidential data on static servers
https://notcve.org/view.php?id=CVE-2023-45539
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server. HAProxy anterior a 2.8.2 acepta # como parte del componente URI, lo que podría permitir a atacantes remotos obtener información confidencial o tener otro impacto no especificado tras una mala interpretación de una regla path_end, como enrutar index.html#.png a un servidor estático. • https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=2eab6d354322932cfec2ed54de261e4347eca9a6 https://lists.debian.org/debian-lts-announce/2023/12/msg00010.html https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html https://www.mail-archive.com/haproxy%40formilux.org/msg43861.html https://access.redhat.com/security/cve/CVE-2023-45539 https://bugzilla.redhat.com/show_bug.cgi?id=2253037 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 1CVE-2023-40225 – haproxy: Proxy forwards malformed empty Content-Length headers
https://notcve.org/view.php?id=CVE-2023-40225
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request. A flaw was found in HAProxy. Empty Content-Length headers are forwarded, which could cause an HTTP/1 server behind it to interpret the payload as an extra request. This may render the HTTP/1 server vulnerable to attacks in some uncommon cases. • https://cwe.mitre.org/data/definitions/436.html https://github.com/haproxy/haproxy/commit/6492f1f29d738457ea9f382aca54537f35f9d856 https://github.com/haproxy/haproxy/issues/2237 https://www.haproxy.org/download/2.6/src/CHANGELOG https://www.haproxy.org/download/2.7/src/CHANGELOG https://www.haproxy.org/download/2.8/src/CHANGELOG https://access.redhat.com/security/cve/CVE-2023-40225 https://bugzilla.redhat.com/show_bug.cgi?id=2231370 • CWE-20: Improper Input Validation CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2023-0836 – haproxy: data leak via fcgi requests
https://notcve.org/view.php?id=CVE-2023-0836
An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGI_BEGIN_REQUEST record. Sensitive data may be disclosed to configured FastCGI backends in an unexpected way. A flaw was found in HAProxy, which could allow a remote attacker to obtain sensitive information caused by improper initialization when encoding the FCGI_BEGIN_REQUEST record. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information and use this information to launch further attacks against the affected system. • https://git.haproxy.org/?p=haproxy.git%3Ba=commitdiff%3Bh=2e6bf0a https://www.debian.org/security/2023/dsa-5388 https://access.redhat.com/security/cve/CVE-2023-0836 https://bugzilla.redhat.com/show_bug.cgi?id=2180746 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-459: Incomplete Cleanup •
CVSS: 9.1EPSS: 0%CPEs: 8EXPL: 1CVE-2023-25725 – haproxy: request smuggling attack in HTTP/1 header parsing
https://notcve.org/view.php?id=CVE-2023-25725
HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31. A flaw was found in HAProxy's headers processing that causes HAProxy to drop important headers fields such as Connection, Content-length, Transfer-Encoding, and Host after having partially processed them. • https://github.com/sgwgsw/LAB-CVE-2023-25725 https://git.haproxy.org/?p=haproxy-2.7.git%3Ba=commit%3Bh=a0e561ad7f29ed50c473f5a9da664267b60d1112 https://lists.debian.org/debian-lts-announce/2023/02/msg00012.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPTJQHKUEU2PQ7RWFUYAFLAD4STEIKHU https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JM5NCIBTHYDTLPY2UNC4HO2VAHHE6CJG https://www.debian.org/security/2023/dsa-5348 https://www.hapro • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 7.5EPSS: 1%CPEs: 14EXPL: 5CVE-2021-40346 – haproxy: request smuggling attack or response splitting via duplicate content-length header
https://notcve.org/view.php?id=CVE-2021-40346
An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs. Se presenta un desbordamiento de enteros en HAProxy versiones 2.0 a 2.5, en la función htx_add_header() que puede ser explotada para llevar a cabo un ataque de contrabando de peticiones HTTP, permitiendo a un atacante omitir todas las ACLs configuradas de HAProxy de peticiones http y posiblemente otras ACLs Proxy server haproxy has a flaw that can could allow an HTTP request smuggling attack with the goal of bypassing access-control list rules defined by haproxy. The attack was made possible by utilizing an integer overflow vulnerability that allowed reaching an unexpected state in haproxy while parsing an HTTP request. The highest threat from this vulnerability is integrity. • https://github.com/knqyf263/CVE-2021-40346 https://github.com/donky16/CVE-2021-40346-POC https://github.com/alikarimi999/CVE-2021-40346 https://github.com/alexOarga/CVE-2021-40346 https://git.haproxy.org/?p=haproxy.git https://github.com/haproxy/haproxy/commit/3b69886f7dcc3cfb3d166309018e6cfec9ce2c95 https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflow-enables-http-smuggling https://lists.apache.org/thread.html/r284567dd7523f5823e2ce995f787ccd37b1cc4108779c50a97c79120%40%3Cdev.cloudstac • CWE-190: Integer Overflow or Wraparound CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •