PT-2022-6828 · Haproxy+6 · Haproxy+6
Published
2021-03-11
·
Updated
2024-04-17
·
CVE-2023-0836
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:C/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
HAProxy versions 2.1 through 2.7 before 2.7.1
HAProxy version 2.2 before 2.2.27
HAProxy version 2.3
HAProxy version 2.4 before 2.4.21
HAProxy version 2.5 before 2.5.11
HAProxy version 2.6 before 2.6.8
Description
An information leak issue was discovered in HAProxy. The problem arises from 5 bytes left uninitialized in the connection buffer when encoding the FCGI BEGIN REQUEST record, potentially disclosing sensitive data to configured FastCGI backends in an unexpected manner. This issue is related to incomplete clearing of temporary or auxiliary resources, which could allow a remote attacker to access confidential data.
Recommendations
For HAProxy version 2.1, update to a version after 2.7.1 to resolve the issue.
For HAProxy version 2.2 before 2.2.27, update to version 2.2.27 or later.
For HAProxy version 2.3, update to a version after 2.7.1.
For HAProxy version 2.4 before 2.4.21, update to version 2.4.21 or later.
For HAProxy version 2.5 before 2.5.11, update to version 2.5.11 or later.
For HAProxy version 2.6 before 2.6.8, update to version 2.6.8 or later.
For HAProxy version 2.7 before 2.7.1, update to version 2.7.1 or later.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Haproxy
Linuxmint
Red Hat
Ubuntu