CVE-2022-0711 — Infinite Loop in Haproxy

CWE-835 — Infinite Loop8 documents8 sources

Severity

7.5HIGHNVD

EPSS

66.5%

top 1.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haproxy Debian Linux Redhat Enterprise Linux +1 more

Timeline

PublishedMar 2

Latest updateMar 8

Description

A flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header. This flaw could allow an attacker to send crafted HTTP response packets which lead to an infinite loop, eventually resulting in a denial of service condition. The highest threat from this vulnerability is availability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDhaproxy/haproxy2.2.0 — 2.2.21+2

▶Debianhaproxy/haproxy< 2.2.9-2+deb11u3+3

▶CVEListV5haproxy/haproxy2.5.1

Also affects: Debian Linux 11.0, Enterprise Linux 7.0, 8.0, Openshift Container Platform 4.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-x4fc-x944-v9p7: A flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header↗2022-03-03

▶

CVEList

CVE-2022-0711: A flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header↗2022-03-02

▶

OSV

CVE-2022-0711: A flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header↗2022-03-02

▶

📋Vendor Advisories

Microsoft

▶

Ubuntu

HAProxy vulnerability↗2022-03-03

▶

Red Hat

haproxy: Denial of service via set-cookie2 header↗2022-02-23

▶

Debian

CVE-2022-0711: haproxy - A flaw was found in the way HAProxy processed HTTP responses containing the "Set...↗2022

▶