Lucene search

K

GoogleOSV:BIT-HAPROXY-2023-45539

HistoryMar 06, 2024 - 10:52 a.m.

BIT-haproxy-2023-45539

2024-03-0610:52:59

Google

osv.dev

9

haproxy vulnerability

uri parsing

remote attackers

sensitive information

path_end rule

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

AI Score

7.2

Confidence

High

EPSS

0.001

Percentile

46.4%

HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.

References

git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=2eab6d354322932cfec2ed54de261e4347eca9a6

lists.debian.org/debian-lts-announce/2023/12/msg00010.html

lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html

www.mail-archive.com/haproxy%40formilux.org/msg43861.html

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

AI Score

7.2

Confidence

High

EPSS

0.001

Percentile

46.4%

Related for OSV:BIT-HAPROXY-2023-45539

nessus21 openvas12 osv10 cloudlinux1 alpinelinux1 nvd1 cvelist1 debian2 ubuntu2 redhatcve1 veracode1 prion1 cve1 cbl_mariner1 ubuntucve1 debiancve1 redos1 oraclelinux1 redhat5 almalinux1 photon1