CVE-2019-14241
published 2019-07-23CVE-2019-14241: HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) via vectors related to htx_manage_client_side_cookies in proto_htx.c.
PriorityP351high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
70.24%
99.3th percentile
HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) via vectors related to htx_manage_client_side_cookies in proto_htx.c.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | haproxy | — | — |
| haproxy | haproxy | 1.4 – 1.9.8 | — |
| haproxy | haproxy | 2.0.0 – 2.0.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable versions of HAProxy are 1.9.0 through 1.9.8 and 2.0.0 through 2.0.2; the DoS is triggered via cookie handling in htx_manage_client_side_cookies in proto_htx.c ↗
- →Monitor HAProxy processes for unexpected ha_panic crashes, which may indicate exploitation attempts against the cookie parsing code path ↗
- ·Only HAProxy 1.9.x and 2.0.x branches are affected; HAProxy 1.8 and earlier are NOT vulnerable ↗
- ·Red Hat Enterprise Linux, Red Hat Software Collections, and Red Hat OpenStack Platform packaged versions are not affected as they did not ship the vulnerable HAProxy versions ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_debian7.5LOW
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rwrj-rg8q-w32h: HAProxy through 2
ghsa_unreviewed·2022-05-24
CVE-2019-14241 [HIGH] GHSA-rwrj-rg8q-w32h: HAProxy through 2
HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) via vectors related to htx_manage_client_side_cookies in proto_htx.c.
Red Hat
haproxy: DoS via vectors realted to htx_manage_client_side_cookies in proto_htx.c
vendor_redhat·2019-07-22·CVSS 7.5
CVE-2019-14241 [HIGH] CWE-400 haproxy: DoS via vectors realted to htx_manage_client_side_cookies in proto_htx.c
haproxy: DoS via vectors realted to htx_manage_client_side_cookies in proto_htx.c
HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) via vectors related to htx_manage_client_side_cookies in proto_htx.c.
A flaw was found in HAProxy versions 2.0.0 through 2.0.2 and 1.9.0 through 1.9.8. An attacker can cause a denial of service via vectors related to htx_manage_client_side_cookies in proto_htx.c. The highest threat from this vulnerability is to system availability.
Statement: Red Hat Enterprise Linux, Red Hat Software Collections, and Red Hat OpenStack Platform did not package these versions and are therefore not vulnerable to this flaw.
Package: haproxy (Red Hat Enterprise Linux 6) - Not affected
Package: haproxy (Red Hat Enterprise Linux 7) - Not affected
P
Debian
CVE-2019-14241: haproxy - HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) v...
vendor_debian·2019·CVSS 7.5
CVE-2019-14241 [HIGH] CVE-2019-14241: haproxy - HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) v...
HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) via vectors related to htx_manage_client_side_cookies in proto_htx.c.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-14241 haproxy: DoS via vectors realted to htx_manage_client_side_cookies in proto_htx.c [fedora-all]
bugzilla·2019-07-26·CVSS 7.5
CVE-2019-14241 [HIGH] CVE-2019-14241 haproxy: DoS via vectors realted to htx_manage_client_side_cookies in proto_htx.c [fedora-all]
CVE-2019-14241 haproxy: DoS via vectors realted to htx_manage_client_side_cookies in proto_htx.c [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue aff
Bugzilla
CVE-2019-14241 haproxy: DoS via vectors realted to htx_manage_client_side_cookies in proto_htx.c
bugzilla·2019-07-26·CVSS 7.5
CVE-2019-14241 [HIGH] CVE-2019-14241 haproxy: DoS via vectors realted to htx_manage_client_side_cookies in proto_htx.c
CVE-2019-14241 haproxy: DoS via vectors realted to htx_manage_client_side_cookies in proto_htx.c
A vulnerability was found in HAProxy through 2.0.2. This allows attackers to cause a denial of service (ha_panic) via vectors related to htx_manage_client_side_cookies in proto_htx.c.
References:
https://github.com/haproxy/haproxy/issues/181
Discussion:
Created haproxy tracking bugs for this issue:
Affects: fedora-all [bug 1733584]
---
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2019-14241
---
Statement:
Red Hat Enterprise Linux, Red Hat Software Collections, and Red Hat OpenStack Platform did not package these versions and are therefore not vulnerable to this flaw.
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00060.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-11/msg00062.htmlhttp://www.securityfocus.com/bid/109352https://github.com/haproxy/haproxy/issues/181http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00060.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-11/msg00062.htmlhttp://www.securityfocus.com/bid/109352https://github.com/haproxy/haproxy/issues/181
2019-07-23
Published