CVE-2019-18277

Name of the Vulnerable Software and Affected Versions HAProxy versions prior to 2.0.6

Description A flaw was found in the handling of HTTP requests. The issue is related to messages featuring a transfer-encoding header missing the "chunked" value, which were not being correctly rejected in legacy mode. If combined with the "http-reuse always" setting, it could be used to help construct an HTTP request smuggling attack against a vulnerable component employing a lenient parser that would ignore the content-length header as soon as it saw a transfer-encoding one, even if not entirely valid according to the specification.

Recommendations For versions prior to 2.0.6, update to version 2.0.6 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the "http-reuse always" setting in legacy mode until a patch is applied. Restrict access to components that employ lenient parsers to minimize the risk of exploitation.