CVE-2021-39242 — Improper Handling of Exceptional Conditions in Haproxy

CWE-755 — Improper Handling of Exceptional Conditions CWE-20 — Improper Input Validation8 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 35.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haproxy Debian Haproxy Debian Linux +2 more

Timeline

PublishedAug 17

Latest updateMay 24

Description

An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead to a situation with an attacker-controlled HTTP Host header, because a mismatch between Host and authority is mishandled.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/haproxy< haproxy 2.2.16-1 (bookworm)

▶NVDhaproxy/haproxy2.2.0 — 2.2.16+2

▶Debianhaproxy/haproxy< 2.2.9-2+deb11u1+3

▶NVDredhat/openshift4.9

Also affects: Debian Linux 11.0, Fedora 33, 34

🔴Vulnerability Details

GHSA

GHSA-gh3m-9h22-r3r5: An issue was discovered in HAProxy 2↗2022-05-24

▶

GHSA

GHSA-v3g6-gh83-x752: The release of OpenShift 4↗2022-04-12

▶

OSV

CVE-2021-39242: An issue was discovered in HAProxy 2↗2021-08-17

▶

📋Vendor Advisories

Red Hat

haproxy: Incomplete fix for CVE-2021-39242 in OpenShift 4.9↗2021-11-30

▶

Red Hat

haproxy: it can lead to a situation with an attacker-controlled HTTP Host header because a mismatch between Host and authority is mishandled↗2021-08-17

▶

Debian

CVE-2021-39242: haproxy - An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4...↗2021

▶