PT-2018-2891 · Haproxy+3 · Haproxy+3

Published

2018-05-22

Updated

2024-06-15

CVE-2018-11469

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions HAProxy versions 1.8.0 through 1.8.9

Description The issue is related to incorrect caching of responses to requests including an Authorization header, which allows attackers to achieve information disclosure via an unauthenticated remote request. This is connected to the check request for cacheability function in proto http.c. The vulnerability is associated with a lack of protection for service data, enabling a remote attacker to disclose protected information using an unauthenticated remote request.

Recommendations For HAProxy versions 1.8.0 through 1.8.9, consider disabling the cache functionality as a temporary workaround until a patch is available. Restrict access to sensitive information to minimize the risk of exploitation.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

ALT-PU-2018-1942

BDU:2019-02451

CVE-2018-11469

OPENSUSE-SU-2018_3324-1

OPENSUSE-SU-2024:10839-1

RHSA-2019:1436

SUSE-SU-2018:3249-1

SUSE-SU-2018_3249-1

USN-3663-1

Affected Products

Alt Linux

Haproxy

Suse

Ubuntu

PT-2018-2891 · Haproxy+3 · Haproxy+3

CVE-2018-11469

Weakness Enumeration

Related Identifiers

Affected Products

References · 31