HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x
through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and
2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC
9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may
interpret the payload as an extra request.
Author | Note |
---|---|
rodrigo-zaiden | affected content-length headers parses were added in v1.9, with HTX mode. legacy mode in v2.0 and before has the correct check. hence, Ubuntu releases older than focal are not affected. there is a followup commit to handle a specific corner case where leading zeroes on content-length are being preserved, and a bogus server could take it as a prefix, that being commit 22731762. upstream stated that the leading zeroes situation can still happen in versions older than v1.9, it could be addressed in v2.0+ (with HTX) but it is not feasible for older versions due to the way values are indexed. (more information on bug link) |
github.com/advisories/GHSA-xgq7-jp95-v2qv
launchpad.net/bugs/cve/CVE-2023-40225
nvd.nist.gov/vuln/detail/CVE-2023-40225
security-tracker.debian.org/tracker/CVE-2023-40225
ubuntu.com/security/notices/USN-6294-1
ubuntu.com/security/notices/USN-6294-2
www.cve.org/CVERecord?id=CVE-2023-40225
www.haproxy.org/download/2.6/src/CHANGELOG
www.haproxy.org/download/2.7/src/CHANGELOG
www.haproxy.org/download/2.8/src/CHANGELOG