The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0), aka Intermediary Encapsulation Attacks.
HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.
In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution.
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead to a situation with an attacker-controlled HTTP Host header, because a mismatch between Host and authority is mishandled.
An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It does not ensure that the scheme and path portions of a URI have the expected characters. For example, the authority field (as observed on a target HTTP/2 server) might differ from what the routing rules were intended to achieve.
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.
HAProxy before 1.9.7 mishandles a reload with rotated keys, which triggers use of uninitialized, and very predictable, HMAC keys. This is related to an include/types/ssl_sock.h error.
An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. An HTTP method name may contain a space followed by the name of a protected resource. It is possible that a server would interpret this as a request for that protected resource, such as in the "GET /admin? HTTP/1.1 /static/images HTTP/1.1" example.
Mirror of http://git.haproxy.org/git/haproxy-1.9.git
Library home page: https://github.com/cloudant/haproxy-1.9.git
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2019-19330
### Vulnerable Library - haproxy-1.9v1.9.1Mirror of http://git.haproxy.org/git/haproxy-1.9.git
Library home page: https://github.com/cloudant/haproxy-1.9.git
Found in base branch: main
### Vulnerable Source Files (1)
/vendor/haproxy-1.9.1/src/h2.c
### Vulnerability DetailsThe HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0), aka Intermediary Encapsulation Attacks.
Publish Date: 2019-11-27
URL: CVE-2019-19330
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 2.4%
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19330
Release Date: 2020-04-01
Fix Resolution: v2.0.10
CVE-2023-25725
### Vulnerable Libraries - haproxy-1.9v1.9.1, haproxy-1.9v1.9.1
### Vulnerability DetailsHAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.
Publish Date: 2023-02-14
URL: CVE-2023-25725
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.3%
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.
CVE-2020-11100
### Vulnerable Library - haproxy-1.9v1.9.1Mirror of http://git.haproxy.org/git/haproxy-1.9.git
Library home page: https://github.com/cloudant/haproxy-1.9.git
Found in base branch: main
### Vulnerable Source Files (1)
/vendor/haproxy-1.9.1/src/hpack-tbl.c
### Vulnerability DetailsIn hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution.
Publish Date: 2020-04-02
URL: CVE-2020-11100
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 2.8000002%
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-11100
Release Date: 2020-04-02
Fix Resolution: haproxy-debugsource - 1.8.15-5,1.8.15-6;haproxy-debuginfo - 1.8.15-5,1.8.15-6;haproxy - 1.8.15-5,1.8.15-6,1.8.15-5,1.8.15-5,1.8.15-6,1.8.15-6,1.8.15-6,1.8.15-6
CVE-2023-45539
### Vulnerable Library - haproxy-1.9v1.9.1Mirror of http://git.haproxy.org/git/haproxy-1.9.git
Library home page: https://github.com/cloudant/haproxy-1.9.git
Found in base branch: main
### Vulnerable Source Files (1)
/vendor/haproxy-1.9.1/src/h1.c
### Vulnerability DetailsHAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
Publish Date: 2023-11-28
URL: CVE-2023-45539
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (8.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-45539
Release Date: 2023-11-28
Fix Resolution: v2.8.2
CVE-2021-39242
### Vulnerable Library - haproxy-1.9v1.9.1Mirror of http://git.haproxy.org/git/haproxy-1.9.git
Library home page: https://github.com/cloudant/haproxy-1.9.git
Found in base branch: main
### Vulnerable Source Files (1)
/vendor/haproxy-1.9.1/src/h2.c
### Vulnerability DetailsAn issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead to a situation with an attacker-controlled HTTP Host header, because a mismatch between Host and authority is mishandled.
Publish Date: 2021-08-17
URL: CVE-2021-39242
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.70000005%
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-39242
Release Date: 2021-08-17
Fix Resolution: haproxy - 2.2.16-1,2.2.9-2+deb11u1
CVE-2021-39240
### Vulnerable Library - haproxy-1.9v1.9.1Mirror of http://git.haproxy.org/git/haproxy-1.9.git
Library home page: https://github.com/cloudant/haproxy-1.9.git
Found in base branch: main
### Vulnerable Source Files (1)
/vendor/haproxy-1.9.1/src/h2.c
### Vulnerability DetailsAn issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It does not ensure that the scheme and path portions of a URI have the expected characters. For example, the authority field (as observed on a target HTTP/2 server) might differ from what the routing rules were intended to achieve.
Publish Date: 2021-08-17
URL: CVE-2021-39240
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.5%
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-39240
Release Date: 2021-08-17
Fix Resolution: haproxy - 2.2.16-1,2.2.9-2+deb11u1
CVE-2023-40225
### Vulnerable Libraries - haproxy-1.9v1.9.1, haproxy-1.9v1.9.1
### Vulnerability DetailsHAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.
Publish Date: 2023-08-10
URL: CVE-2023-40225
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.3%
### CVSS 3 Score Details (7.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here.
CVE-2019-11323
### Vulnerable Library - haproxy-1.9v1.9.1Mirror of http://git.haproxy.org/git/haproxy-1.9.git
Library home page: https://github.com/cloudant/haproxy-1.9.git
Found in base branch: main
### Vulnerable Source Files (1)
### Vulnerability DetailsHAProxy before 1.9.7 mishandles a reload with rotated keys, which triggers use of uninitialized, and very predictable, HMAC keys. This is related to an include/types/ssl_sock.h error.
Publish Date: 2019-05-09
URL: CVE-2019-11323
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.2%
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11323
Release Date: 2019-05-09
Fix Resolution: v1.9.7
CVE-2021-39241
### Vulnerable Library - haproxy-1.9v1.9.1Mirror of http://git.haproxy.org/git/haproxy-1.9.git
Library home page: https://github.com/cloudant/haproxy-1.9.git
Found in base branch: main
### Vulnerable Source Files (1)
/vendor/haproxy-1.9.1/src/h2.c
### Vulnerability DetailsAn issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. An HTTP method name may contain a space followed by the name of a protected resource. It is possible that a server would interpret this as a request for that protected resource, such as in the "GET /admin? HTTP/1.1 /static/images HTTP/1.1" example.
Publish Date: 2021-08-17
URL: CVE-2021-39241
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.3%
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-39241
Release Date: 2021-08-17
Fix Resolution: haproxy - 2.2.16-1,2.2.9-2+deb11u1