CVE-2023-0836 — Sensitive Information Exposure in Haproxy

CWE-200 — Sensitive Information Exposure CWE-459 — Incomplete Cleanup6 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 99.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haproxy Debian Haproxy

Timeline

PublishedMar 29

Latest updateApr 3

Description

An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGI_BEGIN_REQUEST record. Sensitive data may be disclosed to configured FastCGI backends in an unexpected way.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/haproxy< haproxy 2.6.8-1 (bookworm)

▶NVDhaproxy/haproxy2.2.0 — 2.2.27+6

▶Debianhaproxy/haproxy< 2.2.9-2+deb11u5+3

▶CVEListV5haproxy/haproxyHAProxy 2.8, HAProxy 2.7.1, HAProxy 2.6.8, HAProxy 2.5.11, HAProxy 2.4.21, HAProxy 2.2.27

🔴Vulnerability Details

OSV

CVE-2023-0836: An information leak vulnerability was discovered in HAProxy 2↗2023-03-29

▶

GHSA

GHSA-xhfw-qhxr-hjhq: An information leak vulnerability was discovered in HAProxy 2↗2023-03-29

▶

📋Vendor Advisories

Ubuntu

HAProxy vulnerability↗2023-04-03

▶

Debian

CVE-2023-0836: haproxy - An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2....↗2023

▶

Red Hat

haproxy: data leak via fcgi requests↗2022-12-09

▶