CVE-2023-40225
CVSS V2 None
CVSS V3 None
Description
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.
Overview
- CVE ID
- CVE-2023-40225
- Assigner
- cve@mitre.org
- Vulnerability Status
- Analyzed
- Published Version
- 2023-08-10T21:15:10
- Last Modified Date
- 2023-08-18T20:03:17
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:* | 1 | OR | 2.0.32 | |
| cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:* | 1 | OR | 2.2.0 | 2.2.30 |
| cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:* | 1 | OR | 2.4.0 | 2.4.23 |
| cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:* | 1 | OR | 2.5.0 | 2.6.15 |
| cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:* | 1 | OR | 2.7.0 | 2.7.10 |
| cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:* | 1 | OR | 2.8.0 | 2.8.2 |
References
| Reference URL | Reference Tags |
|---|---|
| https://cwe.mitre.org/data/definitions/436.html | Technical Description |
| https://github.com/haproxy/haproxy/commit/6492f1f29d738457ea9f382aca54537f35f9d856 | Patch |
| https://github.com/haproxy/haproxy/issues/2237 | Exploit Issue Tracking Vendor Advisory |
| https://www.haproxy.org/download/2.6/src/CHANGELOG | Release Notes |
| https://www.haproxy.org/download/2.7/src/CHANGELOG | Release Notes |
| https://www.haproxy.org/download/2.8/src/CHANGELOG | Release Notes |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-40225 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40225 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2023-09-06 03:31:54 | Added to TrackCVE | |||
| 2023-09-06 03:31:55 | Weakness Enumeration | new |