CVE-2021-39240
Published: 17 August 2021
An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It does not ensure that the scheme and path portions of a URI have the expected characters. For example, the authority field (as observed on a target HTTP/2 server) might differ from what the routing rules were intended to achieve.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
haproxy Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
| focal |
Not vulnerable
(code not present)
|
|
| hirsute |
Released
(2.2.9-1ubuntu0.1)
|
|
| impish |
Released
(2.2.9-2ubuntu1)
|
|
| jammy |
Released
(2.2.9-2ubuntu1)
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
(code not present)
|
|
|
Patches: upstream: https://git.haproxy.org/?p=haproxy.git;a=commit;h=4b8852c70d8c4b7e225e24eb58258a15eb54c26e upstream: https://git.haproxy.org/?p=haproxy.git;a=commit;h=a495e0d94876c9d39763db319f609351907a31e8 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |