CVE-2023-45539

Published: Nov 28, 2023Modified: Nov 21, 2024

8.2

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Exploitability: 3.9 / Impact: 4.2

Source: NVD

Description

HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.

Affected (1)

Products: Haproxy: Haproxy

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Haproxy Haproxy	Before 2.8.2

Related CWEs

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References (8)

https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=2eab6d354322932cfec2ed54de261e4347eca9a6

Source: cve@mitre.org

Broken Link

https://lists.debian.org/debian-lts-announce/2023/12/msg00010.html

Source: cve@mitre.org

https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html

Source: cve@mitre.org

Mailing List

https://www.mail-archive.com/haproxy%40formilux.org/msg43861.html

Source: cve@mitre.org

Release Notes

https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=2eab6d354322932cfec2ed54de261e4347eca9a6

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://lists.debian.org/debian-lts-announce/2023/12/msg00010.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List

https://www.mail-archive.com/haproxy%40formilux.org/msg43861.html

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

Timeline

No history available yet.