AZL-13569

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-13569.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-13569

Upstream

CVE-2023-25725

Published

2023-02-14T19:15:11Z

Modified

2026-04-01T05:07:41.121775Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator

Summary

CVE-2023-25725 affecting package haproxy for versions less than 2.4.22-1

Details

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-25725

Affected packages

Azure Linux:2 / haproxy

Package

Name: haproxy
Purl: pkg:rpm/azure-linux/haproxy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.22-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-13569.json"