CVE-2021-40346

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-40346
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-40346.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-40346
Aliases
Related
Published
2021-09-08T17:15:12Z
Modified
2024-12-03T00:51:13.507484Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

An integer overflow exists in HAProxy 2.0 through 2.5 in htxaddheader that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs.

References

Affected packages

Debian:11 / haproxy

Package

Name
haproxy
Purl
pkg:deb/debian/haproxy?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.9-2+deb11u2

Affected versions

2.*

2.2.9-2
2.2.9-2+deb11u1~bpo10+1
2.2.9-2+deb11u1
2.2.9-2+deb11u2~bpo10+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / haproxy

Package

Name
haproxy
Purl
pkg:deb/debian/haproxy?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.16-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / haproxy

Package

Name
haproxy
Purl
pkg:deb/debian/haproxy?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.16-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / git.haproxy.org/haproxy-2.7.git

Affected ranges

Type
GIT
Repo
https://git.haproxy.org/haproxy-2.7.git
Events
Introduced
6cbbecf09734aeb5fa8bb88f36f06a6f6d35e813
Fixed
4d711760de1ca0a3734a0a813cb0012dc3d2628a
Type
GIT
Repo
https://github.com/haproxy/haproxy
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v1.*

v1.0.0
v1.0.1
v1.0.2
v1.1.0
v1.1.1
v1.1.10
v1.1.11
v1.1.12
v1.1.13
v1.1.14
v1.1.15
v1.1.16
v1.1.17
v1.1.18
v1.1.19
v1.1.2
v1.1.20
v1.1.21
v1.1.22
v1.1.23
v1.1.24
v1.1.25
v1.1.26
v1.1.27
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.1.8
v1.1.9
v1.2.0
v1.2.1
v1.2.1-pre1
v1.2.1-pre2
v1.2.1-pre3
v1.2.10
v1.2.10.1
v1.2.11
v1.2.11.1
v1.2.12
v1.2.13
v1.2.13.1
v1.2.14
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.5-pre1
v1.2.5-pre2
v1.2.5-pre3
v1.2.5-pre4
v1.2.5.1
v1.2.5.2
v1.2.6
v1.2.6-pre4
v1.2.6-pre5
v1.2.7
v1.2.7.1
v1.2.7rc
v1.2.8
v1.2.9
v1.3.0
v1.3.1
v1.3.10
v1.3.10.1
v1.3.10.2
v1.3.11
v1.3.11.1
v1.3.11.2
v1.3.11.3
v1.3.11.4
v1.3.12
v1.3.13
v1.3.14
v1.3.15
v1.3.16
v1.3.16-rc1
v1.3.16-rc2
v1.3.17
v1.3.18
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.6.1
v1.3.7
v1.3.8
v1.3.8.1
v1.3.8.2
v1.3.9
v1.4-dev0
v1.4-dev1
v1.4-dev2
v1.4-dev3
v1.4-dev4
v1.4-dev5
v1.4-dev6
v1.4-dev7
v1.4-dev8
v1.4-rc1
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.5-dev10
v1.5-dev12
v1.5-dev13
v1.5-dev14
v1.5-dev15
v1.5-dev16
v1.5-dev17
v1.5-dev18
v1.5-dev19
v1.5-dev20
v1.5-dev21
v1.5-dev22
v1.5-dev23
v1.5-dev24
v1.5-dev25
v1.5-dev26
v1.5-dev8
v1.5-dev9
v1.5.0
v1.6-dev0
v1.6-dev1
v1.6-dev2
v1.6-dev3
v1.6-dev4
v1.6-dev5
v1.6-dev6
v1.6-dev7
v1.6.0
v1.7-dev0
v1.7-dev1
v1.7-dev2
v1.7-dev3
v1.7-dev4
v1.7-dev5
v1.7-dev6
v1.7.0
v1.8-dev0
v1.8-dev1
v1.8-dev2
v1.8-dev3
v1.8-rc1
v1.8-rc2
v1.8-rc3
v1.8-rc4
v1.8.0
v1.9-dev0
v1.9-dev1
v1.9-dev10
v1.9-dev11
v1.9-dev2
v1.9-dev3
v1.9-dev4
v1.9-dev5
v1.9-dev6
v1.9-dev7
v1.9-dev8
v1.9-dev9
v1.9.0

v2.*

v2.0-dev0
v2.0-dev1
v2.0-dev2
v2.0-dev3
v2.0-dev4
v2.0-dev5
v2.0-dev6
v2.0-dev7
v2.0.0
v2.1-dev0
v2.1-dev1
v2.1-dev2
v2.1-dev3
v2.1-dev4
v2.1-dev5
v2.1.0
v2.2-dev0
v2.2-dev1
v2.2-dev10
v2.2-dev11
v2.2-dev12
v2.2-dev2
v2.2-dev3
v2.2-dev4
v2.2-dev5
v2.2-dev6
v2.2-dev7
v2.2-dev8
v2.2-dev9
v2.2.0
v2.3-dev0
v2.3-dev1
v2.3-dev2
v2.3-dev3
v2.3-dev4
v2.3-dev5
v2.3-dev6
v2.3-dev7
v2.3-dev8
v2.3-dev9
v2.3.0
v2.4-dev0
v2.4-dev1
v2.4-dev10
v2.4-dev11
v2.4-dev12
v2.4-dev13
v2.4-dev14
v2.4-dev15
v2.4-dev16
v2.4-dev17
v2.4-dev18
v2.4-dev19
v2.4-dev2
v2.4-dev3
v2.4-dev4
v2.4-dev5
v2.4-dev6
v2.4-dev7
v2.4-dev8
v2.4-dev9
v2.4.0
v2.5-dev0
v2.5-dev1
v2.5-dev2
v2.5-dev3
v2.5-dev4
v2.5-dev5
v2.5-dev6