← Back

CVE-2023-40225

nvd nist
Published: Aug 10, 2023Modified: Nov 21, 2024

JSON object

Loading...
7.2
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Exploitability: 3.9 / Impact: 2.7
Source: NVD

Description

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.

Affected (6)

Products: Haproxy: Haproxy
Haproxy
1 product
Haproxy
Configuration A
6 vulnerable
Vulnerable SoftwareAffected Versions
Haproxy
Haproxy
Up to 2.0.32
Haproxy
From 2.2.0 to 2.2.30
Haproxy
From 2.4.0 to 2.4.23
Haproxy
From 2.5.0 to 2.6.15
Haproxy
From 2.7.0 to 2.7.10
Haproxy
From 2.8.0 to 2.8.2

Related CWEs

CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

References (12)

Source: cve@mitre.org
Technical Description
Source: cve@mitre.org
Patch
Source: cve@mitre.org
ExploitIssue TrackingVendor Advisory
Source: cve@mitre.org
Release Notes
Source: cve@mitre.org
Release Notes
Source: cve@mitre.org
Release Notes
Source: af854a3a-2127-422b-91ae-364da2661108
Technical Description
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitIssue TrackingVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Release Notes
Source: af854a3a-2127-422b-91ae-364da2661108
Release Notes
Source: af854a3a-2127-422b-91ae-364da2661108
Release Notes

Timeline

No history available yet.