PT-2019-5250 · Haproxy+4 · Haproxy+4

Tim Düsterhus

·

Published

2019-11-25

·

Updated

2020-08-18

·

CVE-2019-19330

CVSS v2.0

10

Critical

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions HAProxy versions prior to 2.0.10
Description The issue is related to the HTTP/2 implementation in HAProxy, which mishandles headers. This can be exploited by an attacker to gain access to confidential data, disrupt data integrity, and cause a denial of service. The vulnerability is demonstrated by the improper handling of carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0).
Recommendations For HAProxy versions prior to 2.0.10, update to version 2.0.10 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive data and implementing additional security measures to prevent exploitation.

Fix

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-74

Related Identifiers

ALT-PU-2019-3294
ALT-PU-2020-1530
BDU:2020-02041
CESA-2020_1725
CVE-2019-19330
DSA-4577-1
RHSA-2020:1287
RHSA-2020:1725
RHSA-2020:1936
RHSA-2020:2265
RHSA-2020_1725
USN-4212-1

Affected Products

Alt Linux
Centos
Haproxy
Red Hat
Ubuntu