CVE-2021-39241 — Improper Input Validation in Haproxy

CWE-20 — Improper Input Validation5 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

0.4%

top 36.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haproxy Debian Haproxy Debian Linux +1 more

Timeline

PublishedAug 17

Latest updateMay 24

Description

An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. An HTTP method name may contain a space followed by the name of a protected resource. It is possible that a server would interpret this as a request for that protected resource, such as in the "GET /admin? HTTP/1.1 /static/images HTTP/1.1" example.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶debiandebian/haproxy< haproxy 2.2.16-1 (bookworm)

▶NVDhaproxy/haproxy2.0.0 — 2.0.24+3

▶Debianhaproxy/haproxy< 2.2.9-2+deb11u1+3

Also affects: Debian Linux 11.0, Fedora 33, 34

🔴Vulnerability Details

GHSA

GHSA-6x47-wc8c-3q36: An issue was discovered in HAProxy 2↗2022-05-24

▶

OSV

CVE-2021-39241: An issue was discovered in HAProxy 2↗2021-08-17

▶

📋Vendor Advisories

Red Hat

haproxy: an HTTP method name may contain a space followed by the name of a protected resource↗2021-08-17

▶

Debian

CVE-2021-39241: haproxy - An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 bef...↗2021

▶