CVE-2021-39240
haproxy: does not ensure that the scheme and path portions of a URI have the expected characters
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It does not ensure that the scheme and path portions of a URI have the expected characters. For example, the authority field (as observed on a target HTTP/2 server) might differ from what the routing rules were intended to achieve.
Se ha detectado un problema en HAProxy versiones 2.2 anteriores a 2.2.16, versiones 2.3 anteriores a 2.3.13 y versiones 2.4 anteriores a 2.4.3. No se asegura que las porciones de esquema y ruta de un URI tengan los caracteres esperados. Por ejemplo, el campo authority (como es observado en un servidor HTTP/2 de destino) podrÃa diferir de lo que las reglas de enrutamiento pretendÃan lograr.
A flaw was found in haproxy. An input validation flaw when processing HTTP/2 requests causes haproxy to not ensure that the scheme and path portions of a URI have the expected characters. This may cause specially crafted input to bypass implemented security restrictions. The highest threat from this vulnerability is confidentiality.
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.8.25.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-08-17 CVE Reserved
- 2021-08-17 CVE Published
- 2024-08-04 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=4b8852c70d8c4b7e225e24eb58258a15eb54c26e | X_refsource_misc | |
| https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=a495e0d94876c9d39763db319f609351907a31e8 | X_refsource_misc | |
| https://www.mail-archive.com/haproxy%40formilux.org/msg41041.html | X_refsource_misc |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Haproxy Search vendor "Haproxy" | Haproxy Search vendor "Haproxy" for product "Haproxy" | >= 2.2.0 < 2.2.16 Search vendor "Haproxy" for product "Haproxy" and version " >= 2.2.0 < 2.2.16" | - |
Affected
| ||||||
| Haproxy Search vendor "Haproxy" | Haproxy Search vendor "Haproxy" for product "Haproxy" | >= 2.3.0 < 2.3.13 Search vendor "Haproxy" for product "Haproxy" and version " >= 2.3.0 < 2.3.13" | - |
Affected
| ||||||
| Haproxy Search vendor "Haproxy" | Haproxy Search vendor "Haproxy" for product "Haproxy" | >= 2.4.0 < 2.4.3 Search vendor "Haproxy" for product "Haproxy" and version " >= 2.4.0 < 2.4.3" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 34 Search vendor "Fedoraproject" for product "Fedora" and version "34" | - |
Affected
| ||||||