cbcvebase.
CVE-2019-14241
published 2019-07-23

CVE-2019-14241: HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) via vectors related to htx_manage_client_side_cookies in proto_htx.c.

PriorityP351high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
70.24%
99.3th percentile
HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) via vectors related to htx_manage_client_side_cookies in proto_htx.c.

Affected

3 ranges
VendorProductVersion rangeFixed in
debianhaproxy
haproxyhaproxy1.4 – 1.9.8
haproxyhaproxy2.0.0 – 2.0.2

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerable versions of HAProxy are 1.9.0 through 1.9.8 and 2.0.0 through 2.0.2; the DoS is triggered via cookie handling in htx_manage_client_side_cookies in proto_htx.c
  • Monitor HAProxy processes for unexpected ha_panic crashes, which may indicate exploitation attempts against the cookie parsing code path
  • ·Only HAProxy 1.9.x and 2.0.x branches are affected; HAProxy 1.8 and earlier are NOT vulnerable
  • ·Red Hat Enterprise Linux, Red Hat Software Collections, and Red Hat OpenStack Platform packaged versions are not affected as they did not ship the vulnerable HAProxy versions

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_debian7.5LOW
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.