BIT-haproxy-2023-0836

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/haproxy/BIT-haproxy-2023-0836.json
JSON Data
https://api.test.osv.dev/v1/vulns/BIT-haproxy-2023-0836
Aliases
Published
2024-03-06T10:53:49.889Z
Modified
2024-03-06T11:25:28.861Z
Summary
[none]
Details

An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGIBEGINREQUEST record. Sensitive data may be disclosed to configured FastCGI backends in an unexpected way.

Database specific
{
    "cpes": [
        "cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:haproxy:haproxy:2.1.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:haproxy:haproxy:2.3.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:haproxy:haproxy:2.7.0:*:*:*:*:*:*:*"
    ],
    "severity": "High"
}
References

Affected packages

Bitnami / haproxy

Package

Name
haproxy
Purl
pkg:bitnami/haproxy

Severity

  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
2.2.0
Fixed
2.2.27
Introduced
2.4.0
Fixed
2.4.21
Introduced
2.5.0
Fixed
2.5.11
Introduced
2.6.0
Fixed
2.6.8
Type
SEMVER
Events
Introduced
2.1.0
Last affected
2.1.0
Introduced
2.3.0
Last affected
2.3.0
Introduced
2.7.0
Last affected
2.7.0