Unrated severityNVD Advisory· Published Aug 10, 2023· Updated Oct 9, 2024
CVE-2023-40225
CVE-2023-40225
Description
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.
Affected products
20- HAProxy/HAProxydescription
- osv-coords19 versionspkg:apk/chainguard/haproxypkg:apk/chainguard/haproxy-docpkg:apk/chainguard/haproxy-oci-entrypointpkg:apk/wolfi/haproxypkg:apk/wolfi/haproxy-docpkg:apk/wolfi/haproxy-oci-entrypointpkg:bitnami/haproxypkg:rpm/almalinux/haproxypkg:rpm/opensuse/haproxy&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/haproxy&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/haproxy&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/haproxy&distro=openSUSE%20Leap%20Micro%205.4pkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1pkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2pkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3pkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP4pkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP5pkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Enterprise%20Micro%205.4
< 2.8.2-r0+ 18 more
- (no CPE)range: < 2.8.2-r0
- (no CPE)range: < 2.8.2-r0
- (no CPE)range: < 2.8.2-r0
- (no CPE)range: < 2.8.2-r0
- (no CPE)range: < 2.8.2-r0
- (no CPE)range: < 2.8.2-r0
- (no CPE)range: < 2.0.33
- (no CPE)range: < 2.4.22-3.el9_3
- (no CPE)range: < 2.4.22+git0.f8e3218e2-150400.3.16.1
- (no CPE)range: < 2.4.22+git0.f8e3218e2-150400.3.16.1
- (no CPE)range: < 2.4.22+git0.f8e3218e2-150400.3.16.1
- (no CPE)range: < 2.4.22+git0.f8e3218e2-150400.3.16.1
- (no CPE)range: < 2.0.31-150100.8.34.1
- (no CPE)range: < 2.0.31-150200.11.23.1
- (no CPE)range: < 2.0.31-150200.11.23.1
- (no CPE)range: < 2.4.22+git0.f8e3218e2-150400.3.16.1
- (no CPE)range: < 2.4.22+git0.f8e3218e2-150400.3.16.1
- (no CPE)range: < 2.4.22+git0.f8e3218e2-150400.3.16.1
- (no CPE)range: < 2.4.22+git0.f8e3218e2-150400.3.16.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- cwe.mitre.org/data/definitions/436.htmlmitre
- github.com/haproxy/haproxy/commit/6492f1f29d738457ea9f382aca54537f35f9d856mitre
- github.com/haproxy/haproxy/issues/2237mitre
- www.haproxy.org/download/2.6/src/CHANGELOGmitre
- www.haproxy.org/download/2.7/src/CHANGELOGmitre
- www.haproxy.org/download/2.8/src/CHANGELOGmitre
News mentions
0No linked articles in our index yet.