Unrated severityNVD Advisory· Published Nov 28, 2023· Updated Oct 15, 2024

CVE-2023-45539

Description

HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.

Affected products

HAProxy/HAProxydescription
osv-coords28 versions
pkg:apk/chainguard/haproxy-2.2 pkg:apk/chainguard/haproxy-2.2-doc pkg:apk/chainguard/haproxy-2.2-iamguarded-compat pkg:apk/chainguard/haproxy-2.2-oci-entrypoint pkg:apk/chainguard/haproxy-2.4 pkg:apk/chainguard/haproxy-2.4-doc pkg:apk/chainguard/haproxy-2.4-iamguarded-compat pkg:apk/chainguard/haproxy-2.4-nocaps pkg:apk/chainguard/haproxy-2.4-oci-entrypoint pkg:apk/chainguard/haproxy-2.6 pkg:apk/chainguard/haproxy-2.6-doc pkg:apk/chainguard/haproxy-2.6-iamguarded-compat pkg:apk/chainguard/haproxy-2.6-nocaps pkg:apk/chainguard/haproxy-2.6-oci-entrypoint pkg:bitnami/haproxy pkg:rpm/almalinux/haproxy pkg:rpm/opensuse/haproxy&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/haproxy&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/haproxy&distro=openSUSE%20Leap%20Micro%205.3 pkg:rpm/opensuse/haproxy&distro=openSUSE%20Leap%20Micro%205.4 pkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1 pkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2 pkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3 pkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP4 pkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP5 pkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Enterprise%20Micro%205.3 pkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Enterprise%20Micro%205.4 pkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Enterprise%20Micro%205.5
< 0+ 27 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 2.8.2
- (no CPE)range: < 2.4.22-3.el9_3
- (no CPE)range: < 2.4.22+git0.f8e3218e2-150400.3.19.1
- (no CPE)range: < 2.4.22+git0.f8e3218e2-150400.3.19.1
- (no CPE)range: < 2.4.22+git0.f8e3218e2-150400.3.19.1
- (no CPE)range: < 2.4.22+git0.f8e3218e2-150400.3.19.1
- (no CPE)range: < 2.0.31-150100.8.34.1
- (no CPE)range: < 2.0.31-150200.11.26.1
- (no CPE)range: < 2.0.31-150200.11.26.1
- (no CPE)range: < 2.4.22+git0.f8e3218e2-150400.3.19.1
- (no CPE)range: < 2.4.22+git0.f8e3218e2-150400.3.19.1
- (no CPE)range: < 2.4.22+git0.f8e3218e2-150400.3.19.1
- (no CPE)range: < 2.4.22+git0.f8e3218e2-150400.3.19.1
- (no CPE)range: < 2.4.22+git0.f8e3218e2-150400.3.19.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.debian.org/debian-lts-announce/2023/12/msg00010.htmlmitremailing-list
git.haproxy.orgmitre
lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.htmlmitre
www.mail-archive.com/haproxy%40formilux.org/msg43861.htmlmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000