Published:2024/11/27  Last Updated:2024/11/27

JVN#88385716
HAProxy vulnerable to HTTP request/response smuggling

Overview

HAProxy contains a HTTP request/response smuggling vulnerability.

Products Affected

  • HAProxy 2.6 versions 2.6.18 and earlier
  • HAProxy 2.8 versions 2.8.10 and earlier
  • HAProxy 2.9 versions 2.9.9 and earlier
  • HAProxy 3.0 versions 3.0.2 and earlier

Description

HAProxy HTTP/3 implementation contains an issue on accepting malformed HTTP headers. When a request including malformed HTTP headers is forwarded to a HTTP/1.1 non-compliant back-end server, it is exploited to conduct an HTTP request/response smuggling attack (CWE-444).

Impact

A remote attacker may access a path that is restricted by ACL (Access Control List) set on the product. As a result, the attacker may obtain sensitive information.

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.
The developer addressed the vulnerability in the following versions:

  • HAProxy version 2.6.19
  • HAProxy version 2.8.11
  • HAProxy version 2.9.10
  • HAProxy version 3.0.3

Vendor Status

Vendor Link
HAProxy Project HAProxy - The Reliable, High Perf. TCP/HTTP Load Balancer
Repositories - haproxy-2.6.git/commit
Repositories - haproxy-2.8.git/commit
Repositories - haproxy-2.9.git/commit
Repositories - haproxy-3.0.git/commit

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score: 5.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

Yuki Mogi of FFRI Security, Inc. reported this vulnerability to the developer and coordinated. After the coordination was completed, JPCERT/CC coordinated with the developer to publish this advisory in order to notify users of the solution through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2024-53008
JVN iPedia JVNDB-2024-000122