Fedora: Security Advisory for haproxy (FEDORA-2023-3e8a21cd5b)

The remote host is missing an update for the Copyright C 2023 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

Fedora: Security Advisory for haproxy (FEDORA-2023-7e04833463)

The remote host is missing an update for the Copyright C 2023 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

Privilege Escalation

haproxy, buster is vulnerable to Privilege Escalation. An attacker is able to change their resource allocations, promote containers to privileged mode, or potentially add ssh authorized keys to a remote shell on the target machine by creating new files on the host system. In order for an attacker...

[SECURITY] Fedora 36 Update: haproxy-2.4.22-2.fc36

HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments. Indeed, it can: - route HTTP requests depending on statically assigned cookies - spread load among several servers while assuring server persistence through the use of HTTP cookies - switch to...

[SECURITY] Fedora 37 Update: haproxy-2.6.9-1.fc37

HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments. Indeed, it can: - route HTTP requests depending on statically assigned cookies - spread load among several servers while assuring server persistence through the use of HTTP cookies - switch to...

Fedora 36 : haproxy (2023-7e04833463)

The remote Fedora 36 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-7e04833463 advisory. Security fix for CVE-2023-0056, CVE-2023-25725 Tenable has extracted the preceding description block directly from the Fedora security advisory. Not...

Fedora 37 : haproxy (2023-3e8a21cd5b)

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-3e8a21cd5b advisory. Security fix for CVE-2023-0056, CVE-2023-25725 Tenable has extracted the preceding description block directly from the Fedora security advisory. Not...

U.S. Dept Of Defense: HAProxy stats panel exposed externally

An exposed web panel for HAProxy running on a system allowed external access to the statistics page at port 1024, potentially exposing sensitive information...

K000132703: HAProxy vulnerability CVE-2021-40346

Security Advisory Description An integer overflow exists in HAProxy 2.0 through 2.5 in htxaddheader that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs. CVE-2021-40346 Impact There is no...

haproxy: segfault DoS

An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability...

codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS

A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service DoS...

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3 the impact is limited because the headers disappear before being parsed and processed as if they had not been sent by the client. The fixed versions are 2.7.3 2.6.9 2.5.12 2.4.22 2.2.29 and 2.0.31.

...

Debian dla-3318 : haproxy - security update

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3318 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-3318-1 [email protected] https://www.debian.org/lts/security/...

The vulnerability of the server software HAProxy, related to deficiencies in HTTP request processing, allows attackers to carry out the “HTTP request hijacking” attack.

The vulnerability of the server-side software HAProxy is related to deficiencies in HTTP request processing. Exploiting this vulnerability allows a malicious actor to carry out an “HTTP request hijacking” attack...

haproxy: segfault DoS

An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability...

codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS

A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service DoS...

Vulnerability fixed in HAProxy

HAProxy has fixed a vulnerability in all supported versions of HAProxy. Because headers are not always correctly processed, other headers can potentially become hidden from the parser of the proxy. This can cause a so-called "Request Smuggling occur. Request Smuggling attacks can lead to...

Debian: Security Advisory (DSA-5348-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE CVE-2013-1912

Buffer overflow in HAProxy 1.4 through 1.4.22 and 1.5-dev through 1.5-dev17, when HTTP keep-alive is enabled, using HTTP keywords in TCP inspection rules, and running with rewrite rules that appends to requests, allows remote attackers to cause a denial of service crash and possibly execute...

SUSE CVE-2013-2175

HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdrip or other "hdr" functions with a negative occurrence count, allows remote attackers to cause a denial of service negative array index usage and crash via an HTTP header with a certain number of values, related to the...