rpm package
almalinux/haproxy
pkg:rpm/almalinux/haproxy
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-11230 | — | < 3.0.5-4.el10_1.1 | 3.0.5-4.el10_1.1 | Nov 19, 2025 | Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests. | ||
| CVE-2023-45539 | — | < 2.4.22-3.el9_3 | 2.4.22-3.el9_3 | Nov 28, 2023 | HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server. | ||
| CVE-2023-40225 | — | < 2.4.22-3.el9_3 | 2.4.22-3.el9_3 | Aug 10, 2023 | HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAP | ||
| CVE-2023-0836 | — | < 2.4.22-1.el9 | 2.4.22-1.el9 | Mar 29, 2023 | An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGI_BEGIN_REQUEST record. Sensitive | ||
| CVE-2023-0056 | — | < 2.4.17-3.el9_1.2 | 2.4.17-3.el9_1.2 | Mar 23, 2023 | An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability. | ||
| CVE-2023-25725 | — | < 2.4.17-3.el9_1.2 | 2.4.17-3.el9_1.2 | Feb 14, 2023 | HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers an |
- CVE-2025-11230Nov 19, 2025affected < 3.0.5-4.el10_1.1fixed 3.0.5-4.el10_1.1
Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests.
- CVE-2023-45539Nov 28, 2023affected < 2.4.22-3.el9_3fixed 2.4.22-3.el9_3
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
- CVE-2023-40225Aug 10, 2023affected < 2.4.22-3.el9_3fixed 2.4.22-3.el9_3
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAP
- CVE-2023-0836Mar 29, 2023affected < 2.4.22-1.el9fixed 2.4.22-1.el9
An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGI_BEGIN_REQUEST record. Sensitive
- CVE-2023-0056Mar 23, 2023affected < 2.4.17-3.el9_1.2fixed 2.4.17-3.el9_1.2
An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.
- CVE-2023-25725Feb 14, 2023affected < 2.4.17-3.el9_1.2fixed 2.4.17-3.el9_1.2
HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers an