Haproxy

Haproxy

34 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.1

CVE-2023-25725

  • EPSS 27.98%
  • Veröffentlicht 14.02.2023 19:15:11
  • Zuletzt bearbeitet 20.03.2025 20:15:29

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to trunca...

7.5

CVE-2022-0711

  • EPSS 66.48%
  • Veröffentlicht 02.03.2022 22:15:08
  • Zuletzt bearbeitet 21.11.2024 06:39:14

A flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header. This flaw could allow an attacker to send crafted HTTP response packets which lead to an infinite loop, eventually resulting in a denial of service cond...

7.5

CVE-2021-40346

Exploit
  • EPSS 92.85%
  • Veröffentlicht 08.09.2021 17:15:12
  • Zuletzt bearbeitet 21.11.2024 06:23:54

An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs.

7.5

CVE-2021-39242

  • EPSS 0.47%
  • Veröffentlicht 17.08.2021 19:15:08
  • Zuletzt bearbeitet 21.11.2024 06:18:59

An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead to a situation with an attacker-controlled HTTP Host header, because a mismatch between Host and authority is mishandled.

5.3

CVE-2021-39241

  • EPSS 0.44%
  • Veröffentlicht 17.08.2021 19:15:08
  • Zuletzt bearbeitet 21.11.2024 06:18:59

An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. An HTTP method name may contain a space followed by the name of a protected resource. It is possible that a server would interpret this ...

7.5

CVE-2021-39240

  • EPSS 0.07%
  • Veröffentlicht 17.08.2021 19:15:08
  • Zuletzt bearbeitet 21.11.2024 06:18:59

An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It does not ensure that the scheme and path portions of a URI have the expected characters. For example, the authority field (as observed on a target HTTP/...

8.8

CVE-2020-11100

  • EPSS 74.79%
  • Veröffentlicht 02.04.2020 15:15:17
  • Zuletzt bearbeitet 21.11.2024 04:56:47

In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution.

9.8

CVE-2019-19330

  • EPSS 0.96%
  • Veröffentlicht 27.11.2019 16:15:11
  • Zuletzt bearbeitet 21.11.2024 04:34:35

The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0), aka Intermediary Encapsulation Attacks.

7.5

CVE-2019-18277

Exploit
  • EPSS 0.97%
  • Veröffentlicht 23.10.2019 14:15:10
  • Zuletzt bearbeitet 21.11.2024 04:32:57

A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the "chunked" value were not being correctly rejected. The impact was limited but if combined with the "http-reuse always" setting, it cou...

7.5

CVE-2019-14241

Exploit
  • EPSS 37.04%
  • Veröffentlicht 23.07.2019 13:15:13
  • Zuletzt bearbeitet 21.11.2024 04:26:16

HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) via vectors related to htx_manage_client_side_cookies in proto_htx.c.