CVE-2024-45506 — Infinite Loop in Haproxy

CWE-835 — Infinite Loop7 documents7 sources

Severity

7.5HIGHNVD

EPSS

1.5%

top 18.89%

CISA KEV

Not in KEV

Exploit

Exploited in wild

Active exploitation observed

Affected products

Haproxy Debian Haproxy Msrc Azl3 Haproxy 2.9.1-2 ON Azure Linux 3.0 +3 more

Timeline

PublishedSep 4

Latest updateSep 10

Description

HAProxy 2.9.x before 2.9.10, 3.0.x before 3.0.4, and 3.1.x through 3.1-dev6 allows a remote denial of service for HTTP/2 zero-copy forwarding (h2_send loop) under a certain set of conditions, as exploited in the wild in 2024.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

▶debiandebian/haproxy< haproxy 2.9.10-1 (forky)

▶NVDhaproxy/haproxy2.9.0 — 2.9.10+2

▶Debianhaproxy/haproxy< 2.9.10-1+1

▶msrcmsrc/azl3_haproxy_2.9.1-2_on_azure_linux_3.0

▶msrcmsrc/azl3_haproxy_2.9.11-1_on_azure_linux_3.0

🔴Vulnerability Details

GHSA

GHSA-gmvf-rv8w-2hrh: HAProxy 2↗2024-09-04

▶

OSV

CVE-2024-45506: HAProxy 2↗2024-09-04

▶

VulnCheck

HAProxy Endless Loop HTTP/2 Vulnerability↗2024

▶

📋Vendor Advisories

Microsoft

HAProxy 2.9.x before 2.9.10 3.0.x before 3.0.4 and 3.1.x through 3.1-dev6 allows a remote denial of service for HTTP/2 zero-copy forwarding (h2_send loop) under a certain set of conditions as exploite↗2024-09-10

▶

Red Hat

haproxy: potential infinite loop condition in the h2_send() may trigger a DoS↗2024-09-04

▶

Debian

CVE-2024-45506: haproxy - HAProxy 2.9.x before 2.9.10, 3.0.x before 3.0.4, and 3.1.x through 3.1-dev6 allo...↗2024

▶