CVE-2018-10184Improper Restriction of Operations within the Bounds of a Memory Buffer in Haproxy

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-122Heap-based Buffer Overflow6 documents6 sources
Severity
7.5HIGHNVD
EPSS
25.1%
top 3.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
HaproxyDebian HaproxyRedhat Enterprise Linux
Timeline
PublishedMay 9
Latest updateMay 14

Description

An issue was discovered in HAProxy before 1.8.8. The incoming H2 frame length was checked against the max_frame_size setting instead of being checked against the bufsize. The max_frame_size only applies to outgoing traffic and not to incoming, so if a large enough frame size is advertised in the SETTINGS frame, a wrapped frame will be defragmented into a temporary allocated buffer where the second fragment may overflow the heap by up to 16 kB. It is very unlikely that this can be exploited for c

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

debiandebian/haproxy< haproxy 1.8.8-1 (bookworm)
NVDhaproxy/haproxy< 1.8.8
Debianhaproxy/haproxy< 1.8.8-1+3

Also affects: Enterprise Linux 7.0, 7.3, 7.4, 7.5

🔴Vulnerability Details

2
GHSA
GHSA-v27h-hh5q-3p4q: An issue was discovered in HAProxy before 12022-05-14
OSV
CVE-2018-10184: An issue was discovered in HAProxy before 12018-05-09

📋Vendor Advisories

2
Red Hat
haproxy: Heap buffer overflow in mux_h2.c:h2_process_demux() can allow attackers to cause a denial of service2018-04-19
Debian
CVE-2018-10184: haproxy - An issue was discovered in HAProxy before 1.8.8. The incoming H2 frame length wa...2018

💬Community

1
Bugzilla
CVE-2018-10184 haproxy: Heap buffer overflow in mux_h2.c:h2_process_demux() can allow attackers to cause a denial of service2018-04-19