PT-2021-7489 · Haproxy+2 · Haproxy+2

Tim Düsterhus

Published

2021-08-10

Updated

2024-06-15

CVE-2021-39240

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions HAProxy versions 2.2 through 2.2.15 HAProxy versions 2.3 through 2.3.12 HAProxy versions 2.4 through 2.4.2

Description An issue was discovered in HAProxy where it does not ensure that the scheme and path portions of a URI have the expected characters. For example, the authority field might differ from what the routing rules were intended to achieve, potentially allowing a remote attacker to access confidential data due to insufficient input validation.

Recommendations For HAProxy versions 2.2 through 2.2.15, update to version 2.2.16 or later. For HAProxy versions 2.3 through 2.3.12, update to version 2.3.13 or later. For HAProxy versions 2.4 through 2.4.2, update to version 2.4.3 or later.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2022-3040

ALT-PU-2023-1151

BDU:2022-06892

BIT-HAPROXY-2021-39240

CVE-2021-39240

DSA-4960-1

OESA-2021-1333

OPENSUSE-SU-2024:10839-1

RHSA-2021:4118

RHSA-2021:5208

Affected Products

Alt Linux

Astra Linux

Haproxy

PT-2021-7489 · Haproxy+2 · Haproxy+2

CVE-2021-39240

Weakness Enumeration

Related Identifiers

Affected Products

References · 38