Lucene search
Japan Vulnerability NotesJVN:38170084HistoryMar 31, 2023 - 12:00 a.m.
JVN#38170084: HAProxy vulnerable to HTTP request/response smuggling
2023-03-3100:00:00
Japan Vulnerability Notes
jvn.jp
18
0.002 Low
EPSS
Percentile
54.2%
HAProxy’s HTTP/3 implementation fails to block a malformed HTTP header field name, and when deployed in front of a server that incorrectly process this malformed header, it may be used to conduct an HTTP request/response smuggling attack (CWE-444).
Impact
A remote attacker may alter a legitimate user’s request. As a result, the attacker may obtain sensitive information or cause a denial-of-service (DoS) condition.
Solution
Update the Software
Update the Software to the latest version according to the information provided by the developer.
The developer addressed the vulnerability in the following versions:
- HAProxy version 2.7.1
- HAProxy version 2.6.8
Products Affected
- HAProxy version 2.7.0
- HAProxy version 2.6.1 to 2.6.7
Related
redhatcve
redhatcve
CVE-2023-25950
2023-04-11 12:59:53
cvelist
cvelist
CVE-2023-25950
2023-04-11 00:00:00
veracode
veracode
HTTP Request/Response Smuggling
2023-04-17 02:40:31
prion
prion
Race condition
2023-04-11 09:15:00
osv
osv
BIT-haproxy-2023-25950
2024-03-06 10:53:25
CVE-2023-25950
2023-04-11 09:15:07
debiancve
debiancve
CVE-2023-25950
2023-04-11 09:15:07
cve
cve
CVE-2023-25950
2023-04-11 09:15:07
ubuntucve
ubuntucve
CVE-2023-25950
2023-04-11 00:00:00
rosalinux
rosalinux
Advisory ROSA-SA-2024-2400
2024-04-17 13:35:24
nessus
nessus
RHEL 7 : haproxy (Unpatched Vulnerability)
2024-05-11 00:00:00