CVE-2023-0836

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-0836
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-0836.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-0836
Aliases
Downstream
Related
Published
2023-03-29T21:15:07.950Z
Modified
2026-03-13T06:50:41.305181Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGIBEGINREQUEST record. Sensitive data may be disclosed to configured FastCGI backends in an unexpected way.

References

Affected packages

Git / git.haproxy.org/haproxy-2.2.git

Affected ranges

Type
GIT
Repo
https://git.haproxy.org/haproxy-2.2.git
Events
Introduced
3a00c915fd241fc398a080a11ccac9c5c46791ce
Fixed
2f51eeb60f7f07e76a3248ba9a0757236216aed3
Database specific 
{
    "versions": [
        {
            "introduced": "2.2.0"
        },
        {
            "fixed": "2.2.27"
        }
    ]
}
Type
GIT
Repo
https://git.haproxy.org/haproxy-2.4.git
Events
Introduced
6cbbecf09734aeb5fa8bb88f36f06a6f6d35e813
Last affected
4c20ccb302a648bcf28a2f1879c315be4029fafa
Database specific 
{
    "versions": [
        {
            "introduced": "2.4.0"
        },
        {
            "last_affected": "2.4.21"
        }
    ]
}
Type
GIT
Repo
https://github.com/haproxy/haproxy
Events
Introduced
f2e0833f16aa8c09e1c7001ff55aac4f13c643b7
Last affected
b4d0cd02c14d4db1cf54b0bd8ee328fb198553f3
Introduced
a1efc048bf8a5e14466dbe7317e73117e8d66176
Last affected
026fef98a014b9860f7058eae437ff0a11c78e20
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
e54b43af1ec9dc656c04b09118583cb3c2ce56fa
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
1c0a722a83e7c45456a2b82c15889ab9ab5c4948
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
437fd289f2e32e56498d2d4da63852d483f284ef
Database specific 
{
    "versions": [
        {
            "introduced": "2.5.0"
        },
        {
            "last_affected": "2.5.11"
        },
        {
            "introduced": "2.6.0"
        },
        {
            "last_affected": "2.6.8"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.1.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.3.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.7.0"
        }
    ]
}

Affected versions

v2.*
v2.2.0
v2.2.1
v2.2.10
v2.2.11
v2.2.12
v2.2.13
v2.2.14
v2.2.15
v2.2.16
v2.2.17
v2.2.18
v2.2.19
v2.2.2
v2.2.20
v2.2.21
v2.2.22
v2.2.23
v2.2.24
v2.2.25
v2.2.26
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.8
v2.2.9
v2.4.0
v2.4.1
v2.4.10
v2.4.11
v2.4.12
v2.4.13
v2.4.14
v2.4.15
v2.4.16
v2.4.17
v2.4.18
v2.4.19
v2.4.2
v2.4.20
v2.4.21
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.4.9
v2.5.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-0836.json"