rpm package
suse/haproxy&distro=SUSE Linux Enterprise Micro 5.3
pkg:rpm/suse/haproxy&distro=SUSE%20Linux%20Enterprise%20Micro%205.3
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-11230 | — | < 2.4.22+git0.f8e3218e2-150400.3.25.1 | 2.4.22+git0.f8e3218e2-150400.3.25.1 | Nov 19, 2025 | Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests. | ||
| CVE-2025-32464 | Med | 6.8 | < 2.4.22+git0.f8e3218e2-150400.3.22.1 | 2.4.22+git0.f8e3218e2-150400.3.22.1 | Apr 9, 2025 | HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a sample_conv_regsub heap-based buffer overflow because of mishandling of the replacement of multiple short patterns with a longer one. | |
| CVE-2023-45539 | — | < 2.4.22+git0.f8e3218e2-150400.3.19.1 | 2.4.22+git0.f8e3218e2-150400.3.19.1 | Nov 28, 2023 | HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server. | ||
| CVE-2023-40225 | — | < 2.4.22+git0.f8e3218e2-150400.3.16.1 | 2.4.22+git0.f8e3218e2-150400.3.16.1 | Aug 10, 2023 | HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAP | ||
| CVE-2023-0056 | — | < 2.4.8+git0.d1f8d41e0-150400.3.6.1 | 2.4.8+git0.d1f8d41e0-150400.3.6.1 | Mar 23, 2023 | An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability. | ||
| CVE-2023-25725 | — | < 2.4.8+git0.d1f8d41e0-150400.3.10.1 | 2.4.8+git0.d1f8d41e0-150400.3.10.1 | Feb 14, 2023 | HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers an |
- CVE-2025-11230Nov 19, 2025affected < 2.4.22+git0.f8e3218e2-150400.3.25.1fixed 2.4.22+git0.f8e3218e2-150400.3.25.1
Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests.
- affected < 2.4.22+git0.f8e3218e2-150400.3.22.1fixed 2.4.22+git0.f8e3218e2-150400.3.22.1
HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a sample_conv_regsub heap-based buffer overflow because of mishandling of the replacement of multiple short patterns with a longer one.
- CVE-2023-45539Nov 28, 2023affected < 2.4.22+git0.f8e3218e2-150400.3.19.1fixed 2.4.22+git0.f8e3218e2-150400.3.19.1
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
- CVE-2023-40225Aug 10, 2023affected < 2.4.22+git0.f8e3218e2-150400.3.16.1fixed 2.4.22+git0.f8e3218e2-150400.3.16.1
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAP
- CVE-2023-0056Mar 23, 2023affected < 2.4.8+git0.d1f8d41e0-150400.3.6.1fixed 2.4.8+git0.d1f8d41e0-150400.3.6.1
An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.
- CVE-2023-25725Feb 14, 2023affected < 2.4.8+git0.d1f8d41e0-150400.3.10.1fixed 2.4.8+git0.d1f8d41e0-150400.3.10.1
HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers an