CVE-2018-11469 — Sensitive Information Exposure in Haproxy

CWE-200 — Sensitive Information Exposure8 documents7 sources

Severity

5.9MEDIUMNVD

EPSS

0.0%

top 92.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haproxy Debian Haproxy Canonical Ubuntu Linux

Timeline

PublishedMay 25

Latest updateMay 14

Description

Incorrect caching of responses to requests including an Authorization header in HAProxy 1.8.0 through 1.8.9 (if cache enabled) allows attackers to achieve information disclosure via an unauthenticated remote request, related to the proto_http.c check_request_for_cacheability function.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/haproxy< haproxy 1.8.9-2 (bookworm)

▶Debianhaproxy/haproxy< 1.8.9-2+3

▶NVDhaproxy/haproxy1.8.0 — 1.8.9

Also affects: Ubuntu Linux 18.04

🔴Vulnerability Details

GHSA

GHSA-2m5p-jq2g-4fw5: Incorrect caching of responses to requests including an Authorization header in HAProxy 1↗2022-05-14

▶

OSV

CVE-2018-11469: Incorrect caching of responses to requests including an Authorization header in HAProxy 1↗2018-05-25

▶

📋Vendor Advisories

Ubuntu

HAProxy vulnerability↗2018-05-30

▶

Red Hat

haproxy: Information disclosure in check_request_for_cacheability function in proto_http.c↗2018-05-25

▶

Debian

CVE-2018-11469: haproxy - Incorrect caching of responses to requests including an Authorization header in ...↗2018

▶

💬Community

Bugzilla

CVE-2018-11469 haproxy: Information disclosure in check_request_for_cacheability function in proto_http.c [fedora-all]↗2018-05-25

▶

Bugzilla

CVE-2018-11469 haproxy: Information disclosure in check_request_for_cacheability function in proto_http.c↗2018-05-25

▶