7.2

CVE-2023-40225

Exploit
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
HaproxyHaproxy Version <= 2.0.32
HaproxyHaproxy Version >= 2.2.0 <= 2.2.30
HaproxyHaproxy Version >= 2.4.0 <= 2.4.23
HaproxyHaproxy Version >= 2.5.0 < 2.6.15
HaproxyHaproxy Version >= 2.7.0 < 2.7.10
HaproxyHaproxy Version >= 2.8.0 < 2.8.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.82% 0.759
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.2 3.9 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

https://cwe.mitre.org/data/definitions/436.html
Technical Description
https://github.com/haproxy/haproxy/commit/6492f1f29d738457ea9f382aca54537f35f9d856
Patch
https://github.com/haproxy/haproxy/issues/2237
Vendor Advisory
Exploit
Issue Tracking
https://www.haproxy.org/download/2.6/src/CHANGELOG
Release Notes
https://www.haproxy.org/download/2.7/src/CHANGELOG
Release Notes
https://www.haproxy.org/download/2.8/src/CHANGELOG
Release Notes