rpm package
suse/haproxy&distro=SUSE Linux Enterprise High Availability Extension 15 SP3
pkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-45539 | — | < 2.0.31-150200.11.26.1 | 2.0.31-150200.11.26.1 | Nov 28, 2023 | HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server. | ||
| CVE-2023-40225 | — | < 2.0.31-150200.11.23.1 | 2.0.31-150200.11.23.1 | Aug 10, 2023 | HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAP | ||
| CVE-2023-0056 | — | < 2.0.31-150200.11.20.1 | 2.0.31-150200.11.20.1 | Mar 23, 2023 | An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability. | ||
| CVE-2023-25725 | — | < 2.0.31-150200.11.20.1 | 2.0.31-150200.11.20.1 | Feb 14, 2023 | HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers an | ||
| CVE-2021-40346 | — | < 2.0.14-11.11.1 | 2.0.14-11.11.1 | Sep 8, 2021 | An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs. |
- CVE-2023-45539Nov 28, 2023affected < 2.0.31-150200.11.26.1fixed 2.0.31-150200.11.26.1
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
- CVE-2023-40225Aug 10, 2023affected < 2.0.31-150200.11.23.1fixed 2.0.31-150200.11.23.1
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAP
- CVE-2023-0056Mar 23, 2023affected < 2.0.31-150200.11.20.1fixed 2.0.31-150200.11.20.1
An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.
- CVE-2023-25725Feb 14, 2023affected < 2.0.31-150200.11.20.1fixed 2.0.31-150200.11.20.1
HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers an
- CVE-2021-40346Sep 8, 2021affected < 2.0.14-11.11.1fixed 2.0.14-11.11.1
An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs.