CVE-2021-39240 — Improper Input Validation in Haproxy

CWE-20 — Improper Input Validation5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 79.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haproxy Debian Haproxy Debian Linux +1 more

Timeline

PublishedAug 17

Latest updateMay 24

Description

An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It does not ensure that the scheme and path portions of a URI have the expected characters. For example, the authority field (as observed on a target HTTP/2 server) might differ from what the routing rules were intended to achieve.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/haproxy< haproxy 2.2.16-1 (bookworm)

▶NVDhaproxy/haproxy2.2.0 — 2.2.16+2

▶Debianhaproxy/haproxy< 2.2.9-2+deb11u1+3

Also affects: Debian Linux 11.0, Fedora 33, 34

🔴Vulnerability Details

GHSA

GHSA-88gq-424p-x3xc: An issue was discovered in HAProxy 2↗2022-05-24

▶

OSV

CVE-2021-39240: An issue was discovered in HAProxy 2↗2021-08-17

▶

📋Vendor Advisories

Red Hat

haproxy: does not ensure that the scheme and path portions of a URI have the expected characters↗2021-08-17

▶

Debian

CVE-2021-39240: haproxy - An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4...↗2021

▶