CVE-2024-53008 — HTTP Request Smuggling in Haproxy

CWE-444 — HTTP Request Smuggling6 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 63.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haproxy Debian Haproxy Haproxy Project Haproxy 2.6 +3 more

Timeline

PublishedNov 28

Latest updateDec 3

Description

Inconsistent interpretation of HTTP requests ('HTTP Request/Response Smuggling') issue exists in HAProxy. If this vulnerability is exploited, a remote attacker may access a path that is restricted by ACL (Access Control List) set on the product. As a result, the attacker may obtain sensitive information.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages6 packages

▶debiandebian/haproxy< haproxy 2.9.10-1 (forky)

▶Debianhaproxy/haproxy< 2.9.10-1+1

▶CVEListV5haproxy_project/haproxy_2.62.6.18 and earlier

▶CVEListV5haproxy_project/haproxy_2.82.8.10 and earlier

▶CVEListV5haproxy_project/haproxy_2.92.9.9 and earlier

🔴Vulnerability Details

OSV

CVE-2024-53008: Inconsistent interpretation of HTTP requests ('HTTP Request/Response Smuggling') issue exists in HAProxy↗2024-11-28

▶

GHSA

GHSA-qq72-vh82-fwv9: Inconsistent interpretation of HTTP requests ('HTTP Request/Response Smuggling') issue exists in HAProxy↗2024-11-28

▶

📋Vendor Advisories

Ubuntu

HAProxy vulnerability↗2024-12-03

▶

Red Hat

HAProxy: HTTP request smuggling in HAProxy↗2024-11-28

▶

Debian

CVE-2024-53008: haproxy - Inconsistent interpretation of HTTP requests ('HTTP Request/Response Smuggling')...↗2024

▶