CVE-2018-20615
haproxy: Mishandling of priority flag in short HEADERS frame by HTTP/2 decoder allows for crash
Severity Score
7.5
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
An out-of-bounds read issue was discovered in the HTTP/2 protocol decoder in HAProxy 1.8.x and 1.9.x through 1.9.0 which can result in a crash. The processing of the PRIORITY flag in a HEADERS frame requires 5 extra bytes, and while these bytes are skipped, the total frame length was not re-checked to make sure they were present in the frame.
Se ha descubierto un problema de lectura fuera de límites en el decodificador del protocolo HTTP/2 en HAProxy, en versiones 1.8.x y 1.9.x hasta la 1.9.0, lo que puede resultar en un cierre inesperado. El procesamiento del flag PRIORITY en un frame HEADERS requiere 5 bytes adicionales y, aunque se omiten estos bytes, la longitud total del frame no se volvió a comprobar para asegurar que estaban presentes en la trama.
A flaw was found in HAProxy, versions before 1.8.17 and 1.9.1. Mishandling occurs when a priority flag is set on too short HEADERS frame in the HTTP/2 decoder, allowing an out-of-bounds read and a subsequent crash to occur. A remote attacker can exploit this flaw to cause a denial of service. Those who do not use HTTP/2 are unaffected.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2018-12-31 CVE Reserved
- 2019-02-05 CVE Published
- 2024-08-05 CVE Updated
- 2024-11-04 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-125: Out-of-bounds Read
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00018.html | Mailing List |
|
| http://www.securityfocus.com/bid/106645 | Third Party Advisory | |
| https://www.mail-archive.com/haproxy%40formilux.org/msg32304.html | Mailing List |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHBA-2019:0327 | 2023-11-07 | |
| https://access.redhat.com/errata/RHSA-2019:0275 | 2023-11-07 | |
| https://usn.ubuntu.com/3858-1 | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2018-20615 | 2019-03-14 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1663060 | 2019-03-14 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Haproxy Search vendor "Haproxy" | Haproxy Search vendor "Haproxy" for product "Haproxy" | >= 1.8.0 <= 1.8.19 Search vendor "Haproxy" for product "Haproxy" and version " >= 1.8.0 <= 1.8.19" | - |
Affected
| ||||||
| Haproxy Search vendor "Haproxy" | Haproxy Search vendor "Haproxy" for product "Haproxy" | 1.9.0 Search vendor "Haproxy" for product "Haproxy" and version "1.9.0" | - |
Affected
| ||||||
| Haproxy Search vendor "Haproxy" | Haproxy Search vendor "Haproxy" for product "Haproxy" | 1.9.0 Search vendor "Haproxy" for product "Haproxy" and version "1.9.0" | dev0 |
Affected
| ||||||
| Haproxy Search vendor "Haproxy" | Haproxy Search vendor "Haproxy" for product "Haproxy" | 1.9.0 Search vendor "Haproxy" for product "Haproxy" and version "1.9.0" | dev1 |
Affected
| ||||||
| Haproxy Search vendor "Haproxy" | Haproxy Search vendor "Haproxy" for product "Haproxy" | 1.9.0 Search vendor "Haproxy" for product "Haproxy" and version "1.9.0" | dev10 |
Affected
| ||||||
| Haproxy Search vendor "Haproxy" | Haproxy Search vendor "Haproxy" for product "Haproxy" | 1.9.0 Search vendor "Haproxy" for product "Haproxy" and version "1.9.0" | dev11 |
Affected
| ||||||
| Haproxy Search vendor "Haproxy" | Haproxy Search vendor "Haproxy" for product "Haproxy" | 1.9.0 Search vendor "Haproxy" for product "Haproxy" and version "1.9.0" | dev2 |
Affected
| ||||||
| Haproxy Search vendor "Haproxy" | Haproxy Search vendor "Haproxy" for product "Haproxy" | 1.9.0 Search vendor "Haproxy" for product "Haproxy" and version "1.9.0" | dev3 |
Affected
| ||||||
| Haproxy Search vendor "Haproxy" | Haproxy Search vendor "Haproxy" for product "Haproxy" | 1.9.0 Search vendor "Haproxy" for product "Haproxy" and version "1.9.0" | dev4 |
Affected
| ||||||
| Haproxy Search vendor "Haproxy" | Haproxy Search vendor "Haproxy" for product "Haproxy" | 1.9.0 Search vendor "Haproxy" for product "Haproxy" and version "1.9.0" | dev5 |
Affected
| ||||||
| Haproxy Search vendor "Haproxy" | Haproxy Search vendor "Haproxy" for product "Haproxy" | 1.9.0 Search vendor "Haproxy" for product "Haproxy" and version "1.9.0" | dev6 |
Affected
| ||||||
| Haproxy Search vendor "Haproxy" | Haproxy Search vendor "Haproxy" for product "Haproxy" | 1.9.0 Search vendor "Haproxy" for product "Haproxy" and version "1.9.0" | dev7 |
Affected
| ||||||
| Haproxy Search vendor "Haproxy" | Haproxy Search vendor "Haproxy" for product "Haproxy" | 1.9.0 Search vendor "Haproxy" for product "Haproxy" and version "1.9.0" | dev8 |
Affected
| ||||||
| Haproxy Search vendor "Haproxy" | Haproxy Search vendor "Haproxy" for product "Haproxy" | 1.9.0 Search vendor "Haproxy" for product "Haproxy" and version "1.9.0" | dev9 |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.0 Search vendor "Opensuse" for product "Leap" and version "15.0" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.10" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform" | 3.11 Search vendor "Redhat" for product "Openshift Container Platform" and version "3.11" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 7.4 Search vendor "Redhat" for product "Enterprise Linux" and version "7.4" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 7.5 Search vendor "Redhat" for product "Enterprise Linux" and version "7.5" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 7.6 Search vendor "Redhat" for product "Enterprise Linux" and version "7.6" | - |
Affected
| ||||||