rpm package

opensuse/haproxy&distro=openSUSE Leap 15.4

pkg:rpm/opensuse/haproxy&distro=openSUSE%20Leap%2015.4

Vulnerabilities (5)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2023-45539	—	< 2.4.22+git0.f8e3218e2-150400.3.19.1	2.4.22+git0.f8e3218e2-150400.3.19.1	Nov 28, 2023	HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
CVE-2023-40225	—	< 2.4.22+git0.f8e3218e2-150400.3.16.1	2.4.22+git0.f8e3218e2-150400.3.16.1	Aug 10, 2023	HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAP
CVE-2023-0056	—	< 2.4.8+git0.d1f8d41e0-150400.3.6.1	2.4.8+git0.d1f8d41e0-150400.3.6.1	Mar 23, 2023	An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.
CVE-2023-25725	—	< 2.4.8+git0.d1f8d41e0-150400.3.10.1	2.4.8+git0.d1f8d41e0-150400.3.10.1	Feb 14, 2023	HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers an
CVE-2022-0711	—	< 2.4.8+git0.d1f8d41e0-150400.3.3.13	2.4.8+git0.d1f8d41e0-150400.3.3.13	Mar 2, 2022	A flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header. This flaw could allow an attacker to send crafted HTTP response packets which lead to an infinite loop, eventually resulting in a denial of service condition. The highest threat from

CVE-2023-45539Nov 28, 2023
affected < 2.4.22+git0.f8e3218e2-150400.3.19.1fixed 2.4.22+git0.f8e3218e2-150400.3.19.1
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
CVE-2023-40225Aug 10, 2023
affected < 2.4.22+git0.f8e3218e2-150400.3.16.1fixed 2.4.22+git0.f8e3218e2-150400.3.16.1
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAP
CVE-2023-0056Mar 23, 2023
affected < 2.4.8+git0.d1f8d41e0-150400.3.6.1fixed 2.4.8+git0.d1f8d41e0-150400.3.6.1
An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.
CVE-2023-25725Feb 14, 2023
affected < 2.4.8+git0.d1f8d41e0-150400.3.10.1fixed 2.4.8+git0.d1f8d41e0-150400.3.10.1
HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers an
CVE-2022-0711Mar 2, 2022
affected < 2.4.8+git0.d1f8d41e0-150400.3.3.13fixed 2.4.8+git0.d1f8d41e0-150400.3.3.13
A flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header. This flaw could allow an attacker to send crafted HTTP response packets which lead to an infinite loop, eventually resulting in a denial of service condition. The highest threat from