8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution.
Recent assessments:
3dcyber at April 23, 2020 1:18pm UTC reported:
This vulnerability affects HAProxy and does not require prior authentication as indicated by the CVSS score. Hopefully there is an update to the CVSS.
This vulnerability allows RCE when HTTP2 is enabled on HAProxy. There is a PoC exploit created by the researcher who discovered the vulnerability.
Note that in some solutions HTTP2 on HAProxy may be enabled by default.
To defend against this vulnerability:
HAproxy patches can be applied.
As workaroud you can disable HTTP2.
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 4
lists.opensuse.org/opensuse-security-announce/2020-04/msg00002.html
packetstormsecurity.com/files/157323/haproxy-hpack-tbl.c-Out-Of-Bounds-Write.html
www.haproxy.org
bugzilla.redhat.com/show_bug.cgi?id=1819111
bugzilla.suse.com/show_bug.cgi?id=1168023
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11100
git.haproxy.org/?p=haproxy.git;a=commit;h=5dfc5d5cd0d2128d77253ead3acf03a421ab5b88
git.haproxy.org?p=haproxy.git;a=commit;h=5dfc5d5cd0d2128d77253ead3acf03a421ab5b88
lists.debian.org/debian-security-announce/2020/msg00052.html
lists.fedoraproject.org/archives/list/[email protected]/message/264C7UL3X7L7QE74ZJ557IOUFS3J4QQC
lists.fedoraproject.org/archives/list/[email protected]/message/264C7UL3X7L7QE74ZJ557IOUFS3J4QQC/
lists.fedoraproject.org/archives/list/[email protected]/message/MNW5RZLIX7LOXRLV7WMHX22CI43XSXKW
lists.fedoraproject.org/archives/list/[email protected]/message/MNW5RZLIX7LOXRLV7WMHX22CI43XSXKW/
security.gentoo.org/glsa/202012-22
usn.ubuntu.com/4321-1
usn.ubuntu.com/4321-1/
www.debian.org/security/2020/dsa-4649
www.haproxy.org/download/2.1/src/CHANGELOG
www.mail-archive.com/[email protected]/msg36876.html
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P