Unrated severityNVD Advisory· Published Oct 23, 2019· Updated Aug 5, 2024
CVE-2019-18277
CVE-2019-18277
Description
A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the "chunked" value were not being correctly rejected. The impact was limited but if combined with the "http-reuse always" setting, it could be used to help construct an HTTP request smuggling attack against a vulnerable component employing a lenient parser that would ignore the content-length header as soon as it saw a transfer-encoding one (even if not entirely valid according to the specification).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
16- HAProxy/HAProxydescription
- osv-coords14 versionspkg:rpm/opensuse/haproxy&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/haproxy&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/haproxy&distro=openSUSE%20Tumbleweedpkg:rpm/suse/haproxy&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2012%20SP3pkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2012%20SP4pkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2012%20SP5pkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015pkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1pkg:rpm/suse/haproxy&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/haproxy&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/haproxy&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/haproxy&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/haproxy&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 2.0.10+git0.ac198b92-lp150.2.16.1+ 13 more
- (no CPE)range: < 2.0.10+git0.ac198b92-lp150.2.16.1
- (no CPE)range: < 2.0.10+git0.ac198b92-lp151.2.6.1
- (no CPE)range: < 2.4.4+git0.acb1d0bea-1.2
- (no CPE)range: < 1.6.11-11.3.1
- (no CPE)range: < 1.6.11-11.3.1
- (no CPE)range: < 1.6.11-11.3.1
- (no CPE)range: < 1.6.11-11.3.1
- (no CPE)range: < 2.0.10+git0.ac198b92-3.15.1
- (no CPE)range: < 2.0.10+git0.ac198b92-8.8.1
- (no CPE)range: < 1.6.11-11.3.1
- (no CPE)range: < 1.6.11-11.3.1
- (no CPE)range: < 1.6.11-11.3.1
- (no CPE)range: < 1.6.11-11.3.1
- (no CPE)range: < 1.6.11-11.3.1
Patches
Vulnerability mechanics
References
7- lists.opensuse.org/opensuse-security-announce/2019-12/msg00016.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-12/msg00019.htmlmitrevendor-advisoryx_refsource_SUSE
- usn.ubuntu.com/4174-1/mitrevendor-advisoryx_refsource_UBUNTU
- git.haproxy.orgmitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2022/05/msg00045.htmlmitremailing-listx_refsource_MLIST
- nathandavison.com/blog/haproxy-http-request-smugglingmitrex_refsource_MISC
- www.mail-archive.com/haproxy%40formilux.org/msg34926.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.