PT-2021-7625 · Haproxy+2 · Haproxy+2
Tim Düsterhus
·
Published
2021-08-11
·
Updated
2024-03-06
·
CVE-2021-39241
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
HAProxy versions 2.0 through 2.0.23
HAProxy versions 2.2 through 2.2.15
HAProxy versions 2.3 through 2.3.12
HAProxy versions 2.4 through 2.4.2
Description
The issue is related to insufficient input validation in the HAProxy HTTP server software. This allows a remote attacker to impact data integrity. Specifically, an HTTP method name may contain a space followed by the name of a protected resource, which could be interpreted by the server as a request for that protected resource. For example, a request like "GET /admin? HTTP/1.1 /static/images HTTP/1.1" could be misinterpreted.
Recommendations
For HAProxy versions 2.0 through 2.0.23, update to version 2.0.24 or later.
For HAProxy versions 2.2 through 2.2.15, update to version 2.2.16 or later.
For HAProxy versions 2.3 through 2.3.12, update to version 2.3.13 or later.
For HAProxy versions 2.4 through 2.4.2, update to version 2.4.3 or later.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Haproxy