CVE-2013-1912

Name of the Vulnerable Software and Affected Versions HAProxy versions 1.4 through 1.4.22 HAProxy versions 1.5-dev through 1.5-dev17

Description The issue is related to a buffer overflow in HAProxy, which can be exploited when HTTP keep-alive is enabled, and specific conditions are met, such as using HTTP keywords in TCP inspection rules and running with rewrite rules that append to requests. This can allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted pipelined HTTP requests. The vulnerability can be exploited remotely and may lead to a disruption of confidentiality, integrity, and availability of protected information.

Recommendations For HAProxy versions 1.4 through 1.4.22, consider disabling HTTP keep-alive and TCP inspection rules using HTTP keywords as a temporary workaround until a patch is available. For HAProxy versions 1.5-dev through 1.5-dev17, restrict the use of rewrite rules that append to requests to minimize the risk of exploitation. As a general mitigation measure, avoid using pipelined HTTP requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.