Описание
An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead to a situation with an attacker-controlled HTTP Host header, because a mismatch between Host and authority is mishandled.
haproxy was found to be vulnerable to HTTP host header attack: This problem creates a scenario in which it's possible to drop the Host header and use the authority only after forwarding to a
second http2 layer, possibly causing two differing values of Host at a different stage. The highest threat from this vulnerability is data integrity.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | haproxy | Not affected | ||
| Red Hat Enterprise Linux 7 | haproxy | Not affected | ||
| Red Hat Enterprise Linux 8 | haproxy | Not affected | ||
| Red Hat Enterprise Linux 9 | haproxy | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | haproxy | Out of support scope | ||
| Red Hat Software Collections | rh-haproxy18-haproxy | Not affected | ||
| Red Hat OpenShift Container Platform 4.8 | haproxy | Fixed | RHSA-2021:5208 | 05.01.2022 |
| Red Hat OpenShift Container Platform 4.9 | haproxy | Fixed | RHSA-2021:4118 | 10.11.2021 |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead to a situation with an attacker-controlled HTTP Host header, because a mismatch between Host and authority is mishandled.
An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead to a situation with an attacker-controlled HTTP Host header, because a mismatch between Host and authority is mishandled.
An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.1 ...
An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead to a situation with an attacker-controlled HTTP Host header, because a mismatch between Host and authority is mishandled.
Уязвимость серверного программного обеспечения HAProxy, связанная с недостатками в обработке исключительных состояний, позволяющая нарушителю оказать воздействие на целостность данных
7.5 High
CVSS3