CVE-2019-19330 — Injection in Haproxy

CWE-74 — Injection CWE-20 — Improper Input Validation8 documents7 sources

Severity

9.8CRITICALNVD

EPSS

1.0%

top 23.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haproxy Debian Haproxy Canonical Ubuntu Linux +1 more

Timeline

PublishedNov 27

Latest updateMay 24

Description

The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0), aka Intermediary Encapsulation Attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/haproxy< haproxy 2.0.10-1 (bookworm)

▶NVDhaproxy/haproxy< 2.0.10

▶Debianhaproxy/haproxy< 2.0.10-1+3

Also affects: Debian Linux 10.0, Ubuntu Linux 18.04, 19.04, 19.10

🔴Vulnerability Details

GHSA

GHSA-x4px-pm9c-vmjm: The HTTP/2 implementation in HAProxy before 2↗2022-05-24

▶

OSV

CVE-2019-19330: The HTTP/2 implementation in HAProxy before 2↗2019-11-27

▶

📋Vendor Advisories

Ubuntu

HAProxy vulnerability↗2019-12-04

▶

Red Hat

haproxy: HTTP/2 implementation vulnerable to intermediary encapsulation attacks↗2019-11-25

▶

Debian

CVE-2019-19330: haproxy - The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demons...↗2019

▶

💬Community

Bugzilla

CVE-2019-19330 haproxy: HTTP/2 implementation vulnerable to intermediary encapsulation attacks↗2019-11-27

▶

Bugzilla

CVE-2019-19330 haproxy: HTTP/2 implementation vulnerable to intermediary encapsulation attacks [fedora-all]↗2019-11-27

▶