CVE-2023-40225
haproxy: Proxy forwards malformed empty Content-Length headers
Severity Score
7.2
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Attend
*SSVC
Descriptions
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.
A flaw was found in HAProxy. Empty Content-Length headers are forwarded, which could cause an HTTP/1 server behind it to interpret the payload as an extra request. This may render the HTTP/1 server vulnerable to attacks in some uncommon cases.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-08-10 CVE Reserved
- 2023-08-10 CVE Published
- 2024-10-09 CVE Updated
- 2024-10-09 First Exploit
- 2024-11-14 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
- CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| https://cwe.mitre.org/data/definitions/436.html | Technical Description | |
| https://www.haproxy.org/download/2.6/src/CHANGELOG | Release Notes | |
| https://www.haproxy.org/download/2.7/src/CHANGELOG | Release Notes | |
| https://www.haproxy.org/download/2.8/src/CHANGELOG | Release Notes |
| URL | Date | SRC |
|---|---|---|
| https://github.com/haproxy/haproxy/issues/2237 | 2024-10-09 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/haproxy/haproxy/commit/6492f1f29d738457ea9f382aca54537f35f9d856 | 2023-08-18 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2023-40225 | 2024-03-05 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2231370 | 2024-03-05 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Haproxy Search vendor "Haproxy" | Haproxy Search vendor "Haproxy" for product "Haproxy" | <= 2.0.32 Search vendor "Haproxy" for product "Haproxy" and version " <= 2.0.32" | - |
Affected
| ||||||
| Haproxy Search vendor "Haproxy" | Haproxy Search vendor "Haproxy" for product "Haproxy" | >= 2.2.0 <= 2.2.30 Search vendor "Haproxy" for product "Haproxy" and version " >= 2.2.0 <= 2.2.30" | - |
Affected
| ||||||
| Haproxy Search vendor "Haproxy" | Haproxy Search vendor "Haproxy" for product "Haproxy" | >= 2.4.0 <= 2.4.23 Search vendor "Haproxy" for product "Haproxy" and version " >= 2.4.0 <= 2.4.23" | - |
Affected
| ||||||
| Haproxy Search vendor "Haproxy" | Haproxy Search vendor "Haproxy" for product "Haproxy" | >= 2.5.0 < 2.6.15 Search vendor "Haproxy" for product "Haproxy" and version " >= 2.5.0 < 2.6.15" | - |
Affected
| ||||||
| Haproxy Search vendor "Haproxy" | Haproxy Search vendor "Haproxy" for product "Haproxy" | >= 2.7.0 < 2.7.10 Search vendor "Haproxy" for product "Haproxy" and version " >= 2.7.0 < 2.7.10" | - |
Affected
| ||||||
| Haproxy Search vendor "Haproxy" | Haproxy Search vendor "Haproxy" for product "Haproxy" | >= 2.8.0 < 2.8.2 Search vendor "Haproxy" for product "Haproxy" and version " >= 2.8.0 < 2.8.2" | - |
Affected
| ||||||