Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2023-45539 (GCVE-0-2023-45539)
Vulnerability from cvelistv5 – Published: 2023-11-28 00:00 – Updated: 2024-10-15 17:44
VLAI
EPSS
Summary
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
Severity
8.2 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:21:16.699Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=2eab6d354322932cfec2ed54de261e4347eca9a6"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.mail-archive.com/haproxy%40formilux.org/msg43861.html"
},
{
"name": "[debian-lts-announce] 20231214 [SECURITY] [DLA 3688-1] haproxy security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00010.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-45539",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T17:28:42.397821Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T17:44:03.661Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-14T17:06:29.095Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html"
},
{
"url": "https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=2eab6d354322932cfec2ed54de261e4347eca9a6"
},
{
"url": "https://www.mail-archive.com/haproxy%40formilux.org/msg43861.html"
},
{
"name": "[debian-lts-announce] 20231214 [SECURITY] [DLA 3688-1] haproxy security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00010.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-45539",
"datePublished": "2023-11-28T00:00:00.000Z",
"dateReserved": "2023-10-09T00:00:00.000Z",
"dateUpdated": "2024-10-15T17:44:03.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2023-45539",
"date": "2026-05-27",
"epss": "0.00027",
"percentile": "0.08127"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.8.2\", \"matchCriteriaId\": \"7AF854C8-A9F6-4C2B-BB89-AD9B8A9F866C\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.\"}, {\"lang\": \"es\", \"value\": \"HAProxy anterior a 2.8.2 acepta # como parte del componente URI, lo que podr\\u00eda permitir a atacantes remotos obtener informaci\\u00f3n confidencial o tener otro impacto no especificado tras una mala interpretaci\\u00f3n de una regla path_end, como enrutar index.html#.png a un servidor est\\u00e1tico.\"}]",
"id": "CVE-2023-45539",
"lastModified": "2024-11-21T08:26:56.747",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\", \"baseScore\": 8.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 4.2}, {\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\", \"baseScore\": 8.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 4.2}]}",
"published": "2023-11-28T20:15:07.817",
"references": "[{\"url\": \"https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=2eab6d354322932cfec2ed54de261e4347eca9a6\", \"source\": \"cve@mitre.org\", \"tags\": [\"Broken Link\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2023/12/msg00010.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Mailing List\"]}, {\"url\": \"https://www.mail-archive.com/haproxy%40formilux.org/msg43861.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=2eab6d354322932cfec2ed54de261e4347eca9a6\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2023/12/msg00010.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\"]}, {\"url\": \"https://www.mail-archive.com/haproxy%40formilux.org/msg43861.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\"]}]",
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}, {\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-116\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-45539\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2023-11-28T20:15:07.817\",\"lastModified\":\"2024-11-21T08:26:56.747\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.\"},{\"lang\":\"es\",\"value\":\"HAProxy anterior a 2.8.2 acepta # como parte del componente URI, lo que podr\u00eda permitir a atacantes remotos obtener informaci\u00f3n confidencial o tener otro impacto no especificado tras una mala interpretaci\u00f3n de una regla path_end, como enrutar index.html#.png a un servidor est\u00e1tico.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-116\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.8.2\",\"matchCriteriaId\":\"7AF854C8-A9F6-4C2B-BB89-AD9B8A9F866C\"}]}]}],\"references\":[{\"url\":\"https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=2eab6d354322932cfec2ed54de261e4347eca9a6\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/12/msg00010.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://www.mail-archive.com/haproxy%40formilux.org/msg43861.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=2eab6d354322932cfec2ed54de261e4347eca9a6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/12/msg00010.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://www.mail-archive.com/haproxy%40formilux.org/msg43861.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=2eab6d354322932cfec2ed54de261e4347eca9a6\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.mail-archive.com/haproxy%40formilux.org/msg43861.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2023/12/msg00010.html\", \"name\": \"[debian-lts-announce] 20231214 [SECURITY] [DLA 3688-1] haproxy security update\", \"tags\": [\"mailing-list\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T20:21:16.699Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-45539\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-15T17:28:42.397821Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-116\", \"description\": \"CWE-116 Improper Encoding or Escaping of Output\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-15T17:43:54.469Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html\"}, {\"url\": \"https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=2eab6d354322932cfec2ed54de261e4347eca9a6\"}, {\"url\": \"https://www.mail-archive.com/haproxy%40formilux.org/msg43861.html\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2023/12/msg00010.html\", \"name\": \"[debian-lts-announce] 20231214 [SECURITY] [DLA 3688-1] haproxy security update\", \"tags\": [\"mailing-list\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2023-12-14T17:06:29.095Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-45539\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-15T17:44:03.661Z\", \"dateReserved\": \"2023-10-09T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2023-11-28T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
alsa-2024:1142
Vulnerability from osv_almalinux
Published
2024-03-05 00:00
Modified
2024-03-06 14:17
Summary
Moderate: haproxy security update
Details
The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications.
Security Fix(es):
- haproxy: Proxy forwards malformed empty Content-Length headers (CVE-2023-40225)
- haproxy: untrimmed URI fragments may lead to exposure of confidential data on static servers (CVE-2023-45539)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "haproxy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.22-3.el9_3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications.\n\nSecurity Fix(es):\n\n* haproxy: Proxy forwards malformed empty Content-Length headers (CVE-2023-40225)\n* haproxy: untrimmed URI fragments may lead to exposure of confidential data on static servers (CVE-2023-45539)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"id": "ALSA-2024:1142",
"modified": "2024-03-06T14:17:10Z",
"published": "2024-03-05T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2024:1142"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2023-40225"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2023-45539"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2231370"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2253037"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/9/ALSA-2024-1142.html"
}
],
"related": [
"CVE-2023-40225",
"CVE-2023-45539"
],
"summary": "Moderate: haproxy security update"
}
alsa-2024:8849
Vulnerability from osv_almalinux
Published
2024-11-05 00:00
Modified
2024-11-06 09:59
Summary
Moderate: haproxy security update
Details
The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications.
Security Fix(es):
- haproxy: untrimmed URI fragments may lead to exposure of confidential data on static servers (CVE-2023-45539)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "haproxy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.27-5.el8_10.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications. \n\nSecurity Fix(es): \n\n * haproxy: untrimmed URI fragments may lead to exposure of confidential data on static servers (CVE-2023-45539)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2024:8849",
"modified": "2024-11-06T09:59:57Z",
"published": "2024-11-05T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2024:8849"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2023-45539"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2253037"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2024-8849.html"
}
],
"related": [
"CVE-2023-45539"
],
"summary": "Moderate: haproxy security update"
}
BDU:2024-02423
Vulnerability from fstec - Published: 28.11.2023
VLAI
Title
Уязвимость серверного программного обеспечения HAProxy, связанная с обходом аутентификации с использованием альтернативного пути или канала, позволяющая нарушителю получить конфиденциальную информацию
Description
Уязвимость серверного программного обеспечения HAProxy связана с принятием # как часть компонента URI. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, получить конфиденциальную информацию
Severity
Vendor
ООО «РусБИТех-Астра», ООО «Ред Софт», Willy Terreau, АО "НППКТ"
Software Name
Astra Linux Special Edition (запись в едином реестре российских программ №369), Astra Linux Special Edition для «Эльбрус» (запись в едином реестре российских программ №11156), РЕД ОС (запись в едином реестре российских программ №3751), HAProxy, ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913)
Software Version
1.6 «Смоленск» (Astra Linux Special Edition), 8.1 «Ленинград» (Astra Linux Special Edition для «Эльбрус»), 7.3 (РЕД ОС), 1.7 (Astra Linux Special Edition), 4.7 (Astra Linux Special Edition), до 2.8.2 (HAProxy), до 2.10 (ОСОН ОСнова Оnyx)
Possible Mitigations
Для HAProxy:
https://www.mail-archive.com/haproxy%40formilux.org/msg43861.html
Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Для ОСОН ОСнова Оnyx (версия 2.10):
Обновление программного обеспечения haproxy до версии 1.8.19-1+deb10u5
Для ОС Astra Linux:
обновить пакет haproxy до 2.2.32-5astra14 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2024-0830SE17
Для Astra Linux Special Edition 1.6 «Смоленск»::
обновить пакет haproxy до 2.2.32-5astra14 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20241017SE16
Для Astra Linux Special Edition 4.7 для архитектуры ARM:
обновить пакет haproxy до 2.2.32-5astra14 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-1031SE47
Для ОС Astra Linux:
обновить пакет haproxy до 2.2.32-5astra14 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se81-bulletin-20241206SE81
Reference
https://redos.red-soft.ru/support/secure/
https://www.mail-archive.com/haproxy%40formilux.org/msg43861.html
https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.10/
https://wiki.astralinux.ru/astra-linux-se17-bulletin-2024-0830SE17
https://wiki.astralinux.ru/astra-linux-se16-bulletin-20241017SE16
https://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-1031SE47
https://wiki.astralinux.ru/astra-linux-se81-bulletin-20241206SE81
CWE
CWE-288
{
"CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:P/A:N",
"CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, Willy Terreau, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\"",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (Astra Linux Special Edition), 8.1 \u00ab\u041b\u0435\u043d\u0438\u043d\u0433\u0440\u0430\u0434\u00bb (Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb), 7.3 (\u0420\u0415\u0414 \u041e\u0421), 1.7 (Astra Linux Special Edition), 4.7 (Astra Linux Special Edition), \u0434\u043e 2.8.2 (HAProxy), \u0434\u043e 2.10 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0414\u043b\u044f HAProxy:\nhttps://www.mail-archive.com/haproxy%40formilux.org/msg43861.html\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0432\u0435\u0440\u0441\u0438\u044f 2.10):\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f haproxy \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 1.8.19-1+deb10u5\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 haproxy \u0434\u043e 2.2.32-5astra14 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2024-0830SE17\n\n\u0414\u043b\u044f Astra Linux Special Edition 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb::\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 haproxy \u0434\u043e 2.2.32-5astra14 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20241017SE16\n\n\u0414\u043b\u044f Astra Linux Special Edition 4.7 \u0434\u043b\u044f \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b ARM:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 haproxy \u0434\u043e 2.2.32-5astra14 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-1031SE47\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 haproxy \u0434\u043e 2.2.32-5astra14 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se81-bulletin-20241206SE81",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "28.11.2023",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "29.01.2025",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "01.04.2024",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-02423",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2023-45539",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u211611156), \u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), HAProxy, \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb 8.1 \u00ab\u041b\u0435\u043d\u0438\u043d\u0433\u0440\u0430\u0434\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u211611156), \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.7 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 4.7 ARM (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\" \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx \u0434\u043e 2.10 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0441\u0435\u0440\u0432\u0435\u0440\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f HAProxy, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043e\u0431\u0445\u043e\u0434\u043e\u043c \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u0430\u043b\u044c\u0442\u0435\u0440\u043d\u0430\u0442\u0438\u0432\u043d\u043e\u0433\u043e \u043f\u0443\u0442\u0438 \u0438\u043b\u0438 \u043a\u0430\u043d\u0430\u043b\u0430, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u0443\u044e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041e\u0431\u0445\u043e\u0434 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u043f\u043e\u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f \u0430\u043b\u044c\u0442\u0435\u0440\u043d\u0430\u0442\u0438\u0432\u043d\u043e\u0433\u043e \u043f\u0443\u0442\u0438 \u0438\u043b\u0438 \u043a\u0430\u043d\u0430\u043b\u0430 (CWE-288)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0441\u0435\u0440\u0432\u0435\u0440\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f HAProxy \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435\u043c # \u043a\u0430\u043a \u0447\u0430\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 URI. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u0443\u044e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://redos.red-soft.ru/support/secure/\nhttps://www.mail-archive.com/haproxy%40formilux.org/msg43861.html\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.10/\nhttps://wiki.astralinux.ru/astra-linux-se17-bulletin-2024-0830SE17\nhttps://wiki.astralinux.ru/astra-linux-se16-bulletin-20241017SE16\nhttps://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-1031SE47\nhttps://wiki.astralinux.ru/astra-linux-se81-bulletin-20241206SE81",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-288",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8,5)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8,2)"
}
bit-haproxy-2023-45539
Vulnerability from bitnami_vulndb
Published
2024-03-06 10:52
Modified
2025-04-03 14:40
Summary
Details
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "haproxy",
"purl": "pkg:bitnami/haproxy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.2"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2023-45539"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*"
],
"severity": "High"
},
"details": "HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.",
"id": "BIT-haproxy-2023-45539",
"modified": "2025-04-03T14:40:37.652Z",
"published": "2024-03-06T10:52:59.807Z",
"references": [
{
"type": "WEB",
"url": "https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=2eab6d354322932cfec2ed54de261e4347eca9a6"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00010.html"
},
{
"type": "WEB",
"url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html"
},
{
"type": "WEB",
"url": "https://www.mail-archive.com/haproxy%40formilux.org/msg43861.html"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45539"
}
],
"schema_version": "1.5.0"
}
FKIE_CVE-2023-45539
Vulnerability from fkie_nvd - Published: 2023-11-28 20:15 - Updated: 2024-11-21 08:26
Severity
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Summary
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=2eab6d354322932cfec2ed54de261e4347eca9a6 | Broken Link | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2023/12/msg00010.html | ||
| cve@mitre.org | https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html | Mailing List | |
| cve@mitre.org | https://www.mail-archive.com/haproxy%40formilux.org/msg43861.html | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=2eab6d354322932cfec2ed54de261e4347eca9a6 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2023/12/msg00010.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.mail-archive.com/haproxy%40formilux.org/msg43861.html | Release Notes |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7AF854C8-A9F6-4C2B-BB89-AD9B8A9F866C",
"versionEndExcluding": "2.8.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server."
},
{
"lang": "es",
"value": "HAProxy anterior a 2.8.2 acepta # como parte del componente URI, lo que podr\u00eda permitir a atacantes remotos obtener informaci\u00f3n confidencial o tener otro impacto no especificado tras una mala interpretaci\u00f3n de una regla path_end, como enrutar index.html#.png a un servidor est\u00e1tico."
}
],
"id": "CVE-2023-45539",
"lastModified": "2024-11-21T08:26:56.747",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.2,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-11-28T20:15:07.817",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=2eab6d354322932cfec2ed54de261e4347eca9a6"
},
{
"source": "cve@mitre.org",
"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00010.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List"
],
"url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.mail-archive.com/haproxy%40formilux.org/msg43861.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=2eab6d354322932cfec2ed54de261e4347eca9a6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00010.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://www.mail-archive.com/haproxy%40formilux.org/msg43861.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-116"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
GHSA-79Q7-M98P-QVHP
Vulnerability from github – Published: 2023-11-28 21:30 – Updated: 2023-12-04 21:30
VLAI
Details
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
Severity
8.2 (High)
{
"affected": [],
"aliases": [
"CVE-2023-45539"
],
"database_specific": {
"cwe_ids": [
"CWE-116"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-28T20:15:07Z",
"severity": "HIGH"
},
"details": "HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.",
"id": "GHSA-79q7-m98p-qvhp",
"modified": "2023-12-04T21:30:52Z",
"published": "2023-11-28T21:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45539"
},
{
"type": "WEB",
"url": "https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=2eab6d354322932cfec2ed54de261e4347eca9a6"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00010.html"
},
{
"type": "WEB",
"url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html"
},
{
"type": "WEB",
"url": "https://www.mail-archive.com/haproxy%40formilux.org/msg43861.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GSD-2023-45539
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-45539",
"id": "GSD-2023-45539"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-45539"
],
"details": "HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.",
"id": "GSD-2023-45539",
"modified": "2023-12-13T01:20:38.450940Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2023-45539",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html",
"refsource": "MISC",
"url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html"
},
{
"name": "https://git.haproxy.org/?p=haproxy.git;a=commit;h=2eab6d354322932cfec2ed54de261e4347eca9a6",
"refsource": "MISC",
"url": "https://git.haproxy.org/?p=haproxy.git;a=commit;h=2eab6d354322932cfec2ed54de261e4347eca9a6"
},
{
"name": "https://www.mail-archive.com/haproxy@formilux.org/msg43861.html",
"refsource": "MISC",
"url": "https://www.mail-archive.com/haproxy@formilux.org/msg43861.html"
},
{
"name": "[debian-lts-announce] 20231214 [SECURITY] [DLA 3688-1] haproxy security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00010.html"
}
]
}
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7AF854C8-A9F6-4C2B-BB89-AD9B8A9F866C",
"versionEndExcluding": "2.8.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server."
},
{
"lang": "es",
"value": "HAProxy anterior a 2.8.2 acepta # como parte del componente URI, lo que podr\u00eda permitir a atacantes remotos obtener informaci\u00f3n confidencial o tener otro impacto no especificado tras una mala interpretaci\u00f3n de una regla path_end, como enrutar index.html#.png a un servidor est\u00e1tico."
}
],
"id": "CVE-2023-45539",
"lastModified": "2023-12-14T17:15:07.860",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-28T20:15:07.817",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=2eab6d354322932cfec2ed54de261e4347eca9a6"
},
{
"source": "cve@mitre.org",
"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00010.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List"
],
"url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://www.mail-archive.com/haproxy%40formilux.org/msg43861.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
}
}
}
MSRC_CVE-2023-45539
Vulnerability from csaf_microsoft - Published: 2023-11-01 07:00 - Updated: 2025-10-01 23:11Summary
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
8.2 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17219-17086 | — |
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17086-1 | — |
Vendor Fix
fix
|
References
4 references
| URL | Category |
|---|---|
| https://msrc.microsoft.com/csaf/vex/2023/msrc_cve… | self |
| https://support.microsoft.com/lifecycle | external |
| https://www.first.org/cvss | external |
| https://msrc.microsoft.com/csaf/vex/2023/msrc_cve… | self |
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2023-45539 HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server. - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2023/msrc_cve-2023-45539.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.",
"tracking": {
"current_release_date": "2025-10-01T23:11:33.000Z",
"generator": {
"date": "2025-10-20T00:47:01.428Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2023-45539",
"initial_release_date": "2023-11-01T07:00:00.000Z",
"revision_history": [
{
"date": "2025-10-01T23:11:33.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "2.0",
"product": {
"name": "CBL Mariner 2.0",
"product_id": "17086"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccbl2 haproxy 2.4.24-1",
"product": {
"name": "\u003ccbl2 haproxy 2.4.24-1",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "cbl2 haproxy 2.4.24-1",
"product": {
"name": "cbl2 haproxy 2.4.24-1",
"product_id": "17219"
}
}
],
"category": "product_name",
"name": "haproxy"
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 haproxy 2.4.24-1 as a component of CBL Mariner 2.0",
"product_id": "17086-1"
},
"product_reference": "1",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 haproxy 2.4.24-1 as a component of CBL Mariner 2.0",
"product_id": "17219-17086"
},
"product_reference": "17219",
"relates_to_product_reference": "17086"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-45539",
"notes": [
{
"category": "general",
"text": "mitre",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"17219-17086"
],
"known_affected": [
"17086-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-45539 HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server. - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2023/msrc_cve-2023-45539.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2025-10-01T23:11:33.000Z",
"details": "2.4.24-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17086-1"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalsScore": 0.0,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 8.2,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"17086-1"
]
}
],
"title": "HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server."
}
]
}
RHSA-2024:10267
Vulnerability from csaf_redhat - Published: 2024-11-26 00:37 - Updated: 2026-03-18 02:47Summary
Red Hat Security Advisory: haproxy security update
Severity
Moderate
Notes
Topic: An update for haproxy is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications.
Security Fix(es):
* haproxy: untrimmed URI fragments may lead to exposure of confidential data on static servers (CVE-2023-45539)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
5.3 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.EUS:haproxy-debuginfo-0:1.8.27-5.el8_8.1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.EUS:haproxy-debuginfo-0:1.8.27-5.el8_8.1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.EUS:haproxy-debuginfo-0:1.8.27-5.el8_8.1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.EUS:haproxy-debuginfo-0:1.8.27-5.el8_8.1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.EUS:haproxy-debugsource-0:1.8.27-5.el8_8.1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.EUS:haproxy-debugsource-0:1.8.27-5.el8_8.1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.EUS:haproxy-debugsource-0:1.8.27-5.el8_8.1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.8.0.Z.EUS:haproxy-debugsource-0:1.8.27-5.el8_8.1.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
8 references
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2024:10267 | self |
| https://access.redhat.com/security/updates/classi… | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2253037 | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2023-45539 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2253037 | external |
| https://www.cve.org/CVERecord?id=CVE-2023-45539 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2023-45539 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for haproxy is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications.\n\nSecurity Fix(es):\n\n* haproxy: untrimmed URI fragments may lead to exposure of confidential data on static servers (CVE-2023-45539)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:10267",
"url": "https://access.redhat.com/errata/RHSA-2024:10267"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2253037",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253037"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10267.json"
}
],
"title": "Red Hat Security Advisory: haproxy security update",
"tracking": {
"current_release_date": "2026-03-18T02:47:47+00:00",
"generator": {
"date": "2026-03-18T02:47:47+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2024:10267",
"initial_release_date": "2024-11-26T00:37:55+00:00",
"revision_history": [
{
"date": "2024-11-26T00:37:55+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-11-26T00:37:55+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-18T02:47:47+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v.8.8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:8.8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-0:1.8.27-5.el8_8.1.src",
"product": {
"name": "haproxy-0:1.8.27-5.el8_8.1.src",
"product_id": "haproxy-0:1.8.27-5.el8_8.1.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy@1.8.27-5.el8_8.1?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-0:1.8.27-5.el8_8.1.aarch64",
"product": {
"name": "haproxy-0:1.8.27-5.el8_8.1.aarch64",
"product_id": "haproxy-0:1.8.27-5.el8_8.1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy@1.8.27-5.el8_8.1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "haproxy-debugsource-0:1.8.27-5.el8_8.1.aarch64",
"product": {
"name": "haproxy-debugsource-0:1.8.27-5.el8_8.1.aarch64",
"product_id": "haproxy-debugsource-0:1.8.27-5.el8_8.1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debugsource@1.8.27-5.el8_8.1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "haproxy-debuginfo-0:1.8.27-5.el8_8.1.aarch64",
"product": {
"name": "haproxy-debuginfo-0:1.8.27-5.el8_8.1.aarch64",
"product_id": "haproxy-debuginfo-0:1.8.27-5.el8_8.1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debuginfo@1.8.27-5.el8_8.1?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-0:1.8.27-5.el8_8.1.ppc64le",
"product": {
"name": "haproxy-0:1.8.27-5.el8_8.1.ppc64le",
"product_id": "haproxy-0:1.8.27-5.el8_8.1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy@1.8.27-5.el8_8.1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "haproxy-debugsource-0:1.8.27-5.el8_8.1.ppc64le",
"product": {
"name": "haproxy-debugsource-0:1.8.27-5.el8_8.1.ppc64le",
"product_id": "haproxy-debugsource-0:1.8.27-5.el8_8.1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debugsource@1.8.27-5.el8_8.1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "haproxy-debuginfo-0:1.8.27-5.el8_8.1.ppc64le",
"product": {
"name": "haproxy-debuginfo-0:1.8.27-5.el8_8.1.ppc64le",
"product_id": "haproxy-debuginfo-0:1.8.27-5.el8_8.1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debuginfo@1.8.27-5.el8_8.1?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-0:1.8.27-5.el8_8.1.x86_64",
"product": {
"name": "haproxy-0:1.8.27-5.el8_8.1.x86_64",
"product_id": "haproxy-0:1.8.27-5.el8_8.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy@1.8.27-5.el8_8.1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "haproxy-debugsource-0:1.8.27-5.el8_8.1.x86_64",
"product": {
"name": "haproxy-debugsource-0:1.8.27-5.el8_8.1.x86_64",
"product_id": "haproxy-debugsource-0:1.8.27-5.el8_8.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debugsource@1.8.27-5.el8_8.1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "haproxy-debuginfo-0:1.8.27-5.el8_8.1.x86_64",
"product": {
"name": "haproxy-debuginfo-0:1.8.27-5.el8_8.1.x86_64",
"product_id": "haproxy-debuginfo-0:1.8.27-5.el8_8.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debuginfo@1.8.27-5.el8_8.1?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-0:1.8.27-5.el8_8.1.s390x",
"product": {
"name": "haproxy-0:1.8.27-5.el8_8.1.s390x",
"product_id": "haproxy-0:1.8.27-5.el8_8.1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy@1.8.27-5.el8_8.1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "haproxy-debugsource-0:1.8.27-5.el8_8.1.s390x",
"product": {
"name": "haproxy-debugsource-0:1.8.27-5.el8_8.1.s390x",
"product_id": "haproxy-debugsource-0:1.8.27-5.el8_8.1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debugsource@1.8.27-5.el8_8.1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "haproxy-debuginfo-0:1.8.27-5.el8_8.1.s390x",
"product": {
"name": "haproxy-debuginfo-0:1.8.27-5.el8_8.1.s390x",
"product_id": "haproxy-debuginfo-0:1.8.27-5.el8_8.1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debuginfo@1.8.27-5.el8_8.1?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-0:1.8.27-5.el8_8.1.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.aarch64"
},
"product_reference": "haproxy-0:1.8.27-5.el8_8.1.aarch64",
"relates_to_product_reference": "AppStream-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-0:1.8.27-5.el8_8.1.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.ppc64le"
},
"product_reference": "haproxy-0:1.8.27-5.el8_8.1.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-0:1.8.27-5.el8_8.1.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.s390x"
},
"product_reference": "haproxy-0:1.8.27-5.el8_8.1.s390x",
"relates_to_product_reference": "AppStream-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-0:1.8.27-5.el8_8.1.src as a component of Red Hat Enterprise Linux AppStream EUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.src"
},
"product_reference": "haproxy-0:1.8.27-5.el8_8.1.src",
"relates_to_product_reference": "AppStream-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-0:1.8.27-5.el8_8.1.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.x86_64"
},
"product_reference": "haproxy-0:1.8.27-5.el8_8.1.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debuginfo-0:1.8.27-5.el8_8.1.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.EUS:haproxy-debuginfo-0:1.8.27-5.el8_8.1.aarch64"
},
"product_reference": "haproxy-debuginfo-0:1.8.27-5.el8_8.1.aarch64",
"relates_to_product_reference": "AppStream-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debuginfo-0:1.8.27-5.el8_8.1.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.EUS:haproxy-debuginfo-0:1.8.27-5.el8_8.1.ppc64le"
},
"product_reference": "haproxy-debuginfo-0:1.8.27-5.el8_8.1.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debuginfo-0:1.8.27-5.el8_8.1.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.EUS:haproxy-debuginfo-0:1.8.27-5.el8_8.1.s390x"
},
"product_reference": "haproxy-debuginfo-0:1.8.27-5.el8_8.1.s390x",
"relates_to_product_reference": "AppStream-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debuginfo-0:1.8.27-5.el8_8.1.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.EUS:haproxy-debuginfo-0:1.8.27-5.el8_8.1.x86_64"
},
"product_reference": "haproxy-debuginfo-0:1.8.27-5.el8_8.1.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debugsource-0:1.8.27-5.el8_8.1.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.EUS:haproxy-debugsource-0:1.8.27-5.el8_8.1.aarch64"
},
"product_reference": "haproxy-debugsource-0:1.8.27-5.el8_8.1.aarch64",
"relates_to_product_reference": "AppStream-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debugsource-0:1.8.27-5.el8_8.1.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.EUS:haproxy-debugsource-0:1.8.27-5.el8_8.1.ppc64le"
},
"product_reference": "haproxy-debugsource-0:1.8.27-5.el8_8.1.ppc64le",
"relates_to_product_reference": "AppStream-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debugsource-0:1.8.27-5.el8_8.1.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.EUS:haproxy-debugsource-0:1.8.27-5.el8_8.1.s390x"
},
"product_reference": "haproxy-debugsource-0:1.8.27-5.el8_8.1.s390x",
"relates_to_product_reference": "AppStream-8.8.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debugsource-0:1.8.27-5.el8_8.1.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v.8.8)",
"product_id": "AppStream-8.8.0.Z.EUS:haproxy-debugsource-0:1.8.27-5.el8_8.1.x86_64"
},
"product_reference": "haproxy-debugsource-0:1.8.27-5.el8_8.1.x86_64",
"relates_to_product_reference": "AppStream-8.8.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-45539",
"cwe": {
"id": "CWE-288",
"name": "Authentication Bypass Using an Alternate Path or Channel"
},
"discovery_date": "2023-12-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2253037"
}
],
"notes": [
{
"category": "description",
"text": "HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "haproxy: untrimmed URI fragments may lead to exposure of confidential data on static servers",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.aarch64",
"AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.s390x",
"AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.src",
"AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.x86_64",
"AppStream-8.8.0.Z.EUS:haproxy-debuginfo-0:1.8.27-5.el8_8.1.aarch64",
"AppStream-8.8.0.Z.EUS:haproxy-debuginfo-0:1.8.27-5.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.EUS:haproxy-debuginfo-0:1.8.27-5.el8_8.1.s390x",
"AppStream-8.8.0.Z.EUS:haproxy-debuginfo-0:1.8.27-5.el8_8.1.x86_64",
"AppStream-8.8.0.Z.EUS:haproxy-debugsource-0:1.8.27-5.el8_8.1.aarch64",
"AppStream-8.8.0.Z.EUS:haproxy-debugsource-0:1.8.27-5.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.EUS:haproxy-debugsource-0:1.8.27-5.el8_8.1.s390x",
"AppStream-8.8.0.Z.EUS:haproxy-debugsource-0:1.8.27-5.el8_8.1.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-45539"
},
{
"category": "external",
"summary": "RHBZ#2253037",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253037"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-45539",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45539"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-45539",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45539"
}
],
"release_date": "2023-11-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-11-26T00:37:55+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.aarch64",
"AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.s390x",
"AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.src",
"AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.x86_64",
"AppStream-8.8.0.Z.EUS:haproxy-debuginfo-0:1.8.27-5.el8_8.1.aarch64",
"AppStream-8.8.0.Z.EUS:haproxy-debuginfo-0:1.8.27-5.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.EUS:haproxy-debuginfo-0:1.8.27-5.el8_8.1.s390x",
"AppStream-8.8.0.Z.EUS:haproxy-debuginfo-0:1.8.27-5.el8_8.1.x86_64",
"AppStream-8.8.0.Z.EUS:haproxy-debugsource-0:1.8.27-5.el8_8.1.aarch64",
"AppStream-8.8.0.Z.EUS:haproxy-debugsource-0:1.8.27-5.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.EUS:haproxy-debugsource-0:1.8.27-5.el8_8.1.s390x",
"AppStream-8.8.0.Z.EUS:haproxy-debugsource-0:1.8.27-5.el8_8.1.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:10267"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.aarch64",
"AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.s390x",
"AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.src",
"AppStream-8.8.0.Z.EUS:haproxy-0:1.8.27-5.el8_8.1.x86_64",
"AppStream-8.8.0.Z.EUS:haproxy-debuginfo-0:1.8.27-5.el8_8.1.aarch64",
"AppStream-8.8.0.Z.EUS:haproxy-debuginfo-0:1.8.27-5.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.EUS:haproxy-debuginfo-0:1.8.27-5.el8_8.1.s390x",
"AppStream-8.8.0.Z.EUS:haproxy-debuginfo-0:1.8.27-5.el8_8.1.x86_64",
"AppStream-8.8.0.Z.EUS:haproxy-debugsource-0:1.8.27-5.el8_8.1.aarch64",
"AppStream-8.8.0.Z.EUS:haproxy-debugsource-0:1.8.27-5.el8_8.1.ppc64le",
"AppStream-8.8.0.Z.EUS:haproxy-debugsource-0:1.8.27-5.el8_8.1.s390x",
"AppStream-8.8.0.Z.EUS:haproxy-debugsource-0:1.8.27-5.el8_8.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "haproxy: untrimmed URI fragments may lead to exposure of confidential data on static servers"
}
]
}
RHSA-2024:10271
Vulnerability from csaf_redhat - Published: 2024-11-26 00:43 - Updated: 2026-03-18 02:47Summary
Red Hat Security Advisory: haproxy security update
Severity
Moderate
Notes
Topic: An update for haproxy is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications.
Security Fix(es):
* haproxy: untrimmed URI fragments may lead to exposure of confidential data on static servers (CVE-2023-45539)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
5.3 (Medium)
Affected products
Fixed
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.4.0.Z.AUS:haproxy-0:1.8.27-2.el8_4.1.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:haproxy-0:1.8.27-2.el8_4.1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:haproxy-debuginfo-0:1.8.27-2.el8_4.1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.AUS:haproxy-debugsource-0:1.8.27-2.el8_4.1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.E4S:haproxy-0:1.8.27-2.el8_4.1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.E4S:haproxy-0:1.8.27-2.el8_4.1.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.E4S:haproxy-0:1.8.27-2.el8_4.1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.E4S:haproxy-debuginfo-0:1.8.27-2.el8_4.1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.E4S:haproxy-debuginfo-0:1.8.27-2.el8_4.1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.E4S:haproxy-debugsource-0:1.8.27-2.el8_4.1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.E4S:haproxy-debugsource-0:1.8.27-2.el8_4.1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.TUS:haproxy-0:1.8.27-2.el8_4.1.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.TUS:haproxy-0:1.8.27-2.el8_4.1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.TUS:haproxy-debuginfo-0:1.8.27-2.el8_4.1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.TUS:haproxy-debugsource-0:1.8.27-2.el8_4.1.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
8 references
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2024:10271 | self |
| https://access.redhat.com/security/updates/classi… | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2253037 | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2023-45539 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2253037 | external |
| https://www.cve.org/CVERecord?id=CVE-2023-45539 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2023-45539 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for haproxy is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The haproxy packages provide a reliable, high-performance network load balancer for TCP and HTTP-based applications.\n\nSecurity Fix(es):\n\n* haproxy: untrimmed URI fragments may lead to exposure of confidential data on static servers (CVE-2023-45539)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:10271",
"url": "https://access.redhat.com/errata/RHSA-2024:10271"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2253037",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253037"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10271.json"
}
],
"title": "Red Hat Security Advisory: haproxy security update",
"tracking": {
"current_release_date": "2026-03-18T02:47:48+00:00",
"generator": {
"date": "2026-03-18T02:47:48+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2024:10271",
"initial_release_date": "2024-11-26T00:43:41+00:00",
"revision_history": [
{
"date": "2024-11-26T00:43:41+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-11-26T00:43:41+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-18T02:47:48+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product": {
"name": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_aus:8.4::appstream"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream E4S (v.8.4)",
"product": {
"name": "Red Hat Enterprise Linux AppStream E4S (v.8.4)",
"product_id": "AppStream-8.4.0.Z.E4S",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_e4s:8.4::appstream"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream TUS (v.8.4)",
"product": {
"name": "Red Hat Enterprise Linux AppStream TUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.TUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_tus:8.4::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-0:1.8.27-2.el8_4.1.src",
"product": {
"name": "haproxy-0:1.8.27-2.el8_4.1.src",
"product_id": "haproxy-0:1.8.27-2.el8_4.1.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy@1.8.27-2.el8_4.1?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-0:1.8.27-2.el8_4.1.x86_64",
"product": {
"name": "haproxy-0:1.8.27-2.el8_4.1.x86_64",
"product_id": "haproxy-0:1.8.27-2.el8_4.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy@1.8.27-2.el8_4.1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "haproxy-debugsource-0:1.8.27-2.el8_4.1.x86_64",
"product": {
"name": "haproxy-debugsource-0:1.8.27-2.el8_4.1.x86_64",
"product_id": "haproxy-debugsource-0:1.8.27-2.el8_4.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debugsource@1.8.27-2.el8_4.1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "haproxy-debuginfo-0:1.8.27-2.el8_4.1.x86_64",
"product": {
"name": "haproxy-debuginfo-0:1.8.27-2.el8_4.1.x86_64",
"product_id": "haproxy-debuginfo-0:1.8.27-2.el8_4.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debuginfo@1.8.27-2.el8_4.1?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "haproxy-0:1.8.27-2.el8_4.1.ppc64le",
"product": {
"name": "haproxy-0:1.8.27-2.el8_4.1.ppc64le",
"product_id": "haproxy-0:1.8.27-2.el8_4.1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy@1.8.27-2.el8_4.1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "haproxy-debugsource-0:1.8.27-2.el8_4.1.ppc64le",
"product": {
"name": "haproxy-debugsource-0:1.8.27-2.el8_4.1.ppc64le",
"product_id": "haproxy-debugsource-0:1.8.27-2.el8_4.1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debugsource@1.8.27-2.el8_4.1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "haproxy-debuginfo-0:1.8.27-2.el8_4.1.ppc64le",
"product": {
"name": "haproxy-debuginfo-0:1.8.27-2.el8_4.1.ppc64le",
"product_id": "haproxy-debuginfo-0:1.8.27-2.el8_4.1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/haproxy-debuginfo@1.8.27-2.el8_4.1?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-0:1.8.27-2.el8_4.1.src as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:haproxy-0:1.8.27-2.el8_4.1.src"
},
"product_reference": "haproxy-0:1.8.27-2.el8_4.1.src",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-0:1.8.27-2.el8_4.1.x86_64 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:haproxy-0:1.8.27-2.el8_4.1.x86_64"
},
"product_reference": "haproxy-0:1.8.27-2.el8_4.1.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debuginfo-0:1.8.27-2.el8_4.1.x86_64 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:haproxy-debuginfo-0:1.8.27-2.el8_4.1.x86_64"
},
"product_reference": "haproxy-debuginfo-0:1.8.27-2.el8_4.1.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debugsource-0:1.8.27-2.el8_4.1.x86_64 as a component of Red Hat Enterprise Linux AppStream AUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.AUS:haproxy-debugsource-0:1.8.27-2.el8_4.1.x86_64"
},
"product_reference": "haproxy-debugsource-0:1.8.27-2.el8_4.1.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.AUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-0:1.8.27-2.el8_4.1.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
"product_id": "AppStream-8.4.0.Z.E4S:haproxy-0:1.8.27-2.el8_4.1.ppc64le"
},
"product_reference": "haproxy-0:1.8.27-2.el8_4.1.ppc64le",
"relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-0:1.8.27-2.el8_4.1.src as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
"product_id": "AppStream-8.4.0.Z.E4S:haproxy-0:1.8.27-2.el8_4.1.src"
},
"product_reference": "haproxy-0:1.8.27-2.el8_4.1.src",
"relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-0:1.8.27-2.el8_4.1.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
"product_id": "AppStream-8.4.0.Z.E4S:haproxy-0:1.8.27-2.el8_4.1.x86_64"
},
"product_reference": "haproxy-0:1.8.27-2.el8_4.1.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debuginfo-0:1.8.27-2.el8_4.1.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
"product_id": "AppStream-8.4.0.Z.E4S:haproxy-debuginfo-0:1.8.27-2.el8_4.1.ppc64le"
},
"product_reference": "haproxy-debuginfo-0:1.8.27-2.el8_4.1.ppc64le",
"relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debuginfo-0:1.8.27-2.el8_4.1.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
"product_id": "AppStream-8.4.0.Z.E4S:haproxy-debuginfo-0:1.8.27-2.el8_4.1.x86_64"
},
"product_reference": "haproxy-debuginfo-0:1.8.27-2.el8_4.1.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debugsource-0:1.8.27-2.el8_4.1.ppc64le as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
"product_id": "AppStream-8.4.0.Z.E4S:haproxy-debugsource-0:1.8.27-2.el8_4.1.ppc64le"
},
"product_reference": "haproxy-debugsource-0:1.8.27-2.el8_4.1.ppc64le",
"relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debugsource-0:1.8.27-2.el8_4.1.x86_64 as a component of Red Hat Enterprise Linux AppStream E4S (v.8.4)",
"product_id": "AppStream-8.4.0.Z.E4S:haproxy-debugsource-0:1.8.27-2.el8_4.1.x86_64"
},
"product_reference": "haproxy-debugsource-0:1.8.27-2.el8_4.1.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.E4S"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-0:1.8.27-2.el8_4.1.src as a component of Red Hat Enterprise Linux AppStream TUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.TUS:haproxy-0:1.8.27-2.el8_4.1.src"
},
"product_reference": "haproxy-0:1.8.27-2.el8_4.1.src",
"relates_to_product_reference": "AppStream-8.4.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-0:1.8.27-2.el8_4.1.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.TUS:haproxy-0:1.8.27-2.el8_4.1.x86_64"
},
"product_reference": "haproxy-0:1.8.27-2.el8_4.1.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debuginfo-0:1.8.27-2.el8_4.1.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.TUS:haproxy-debuginfo-0:1.8.27-2.el8_4.1.x86_64"
},
"product_reference": "haproxy-debuginfo-0:1.8.27-2.el8_4.1.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.TUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "haproxy-debugsource-0:1.8.27-2.el8_4.1.x86_64 as a component of Red Hat Enterprise Linux AppStream TUS (v.8.4)",
"product_id": "AppStream-8.4.0.Z.TUS:haproxy-debugsource-0:1.8.27-2.el8_4.1.x86_64"
},
"product_reference": "haproxy-debugsource-0:1.8.27-2.el8_4.1.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.TUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-45539",
"cwe": {
"id": "CWE-288",
"name": "Authentication Bypass Using an Alternate Path or Channel"
},
"discovery_date": "2023-12-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2253037"
}
],
"notes": [
{
"category": "description",
"text": "HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "haproxy: untrimmed URI fragments may lead to exposure of confidential data on static servers",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.4.0.Z.AUS:haproxy-0:1.8.27-2.el8_4.1.src",
"AppStream-8.4.0.Z.AUS:haproxy-0:1.8.27-2.el8_4.1.x86_64",
"AppStream-8.4.0.Z.AUS:haproxy-debuginfo-0:1.8.27-2.el8_4.1.x86_64",
"AppStream-8.4.0.Z.AUS:haproxy-debugsource-0:1.8.27-2.el8_4.1.x86_64",
"AppStream-8.4.0.Z.E4S:haproxy-0:1.8.27-2.el8_4.1.ppc64le",
"AppStream-8.4.0.Z.E4S:haproxy-0:1.8.27-2.el8_4.1.src",
"AppStream-8.4.0.Z.E4S:haproxy-0:1.8.27-2.el8_4.1.x86_64",
"AppStream-8.4.0.Z.E4S:haproxy-debuginfo-0:1.8.27-2.el8_4.1.ppc64le",
"AppStream-8.4.0.Z.E4S:haproxy-debuginfo-0:1.8.27-2.el8_4.1.x86_64",
"AppStream-8.4.0.Z.E4S:haproxy-debugsource-0:1.8.27-2.el8_4.1.ppc64le",
"AppStream-8.4.0.Z.E4S:haproxy-debugsource-0:1.8.27-2.el8_4.1.x86_64",
"AppStream-8.4.0.Z.TUS:haproxy-0:1.8.27-2.el8_4.1.src",
"AppStream-8.4.0.Z.TUS:haproxy-0:1.8.27-2.el8_4.1.x86_64",
"AppStream-8.4.0.Z.TUS:haproxy-debuginfo-0:1.8.27-2.el8_4.1.x86_64",
"AppStream-8.4.0.Z.TUS:haproxy-debugsource-0:1.8.27-2.el8_4.1.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-45539"
},
{
"category": "external",
"summary": "RHBZ#2253037",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253037"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-45539",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45539"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-45539",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45539"
}
],
"release_date": "2023-11-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-11-26T00:43:41+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.4.0.Z.AUS:haproxy-0:1.8.27-2.el8_4.1.src",
"AppStream-8.4.0.Z.AUS:haproxy-0:1.8.27-2.el8_4.1.x86_64",
"AppStream-8.4.0.Z.AUS:haproxy-debuginfo-0:1.8.27-2.el8_4.1.x86_64",
"AppStream-8.4.0.Z.AUS:haproxy-debugsource-0:1.8.27-2.el8_4.1.x86_64",
"AppStream-8.4.0.Z.E4S:haproxy-0:1.8.27-2.el8_4.1.ppc64le",
"AppStream-8.4.0.Z.E4S:haproxy-0:1.8.27-2.el8_4.1.src",
"AppStream-8.4.0.Z.E4S:haproxy-0:1.8.27-2.el8_4.1.x86_64",
"AppStream-8.4.0.Z.E4S:haproxy-debuginfo-0:1.8.27-2.el8_4.1.ppc64le",
"AppStream-8.4.0.Z.E4S:haproxy-debuginfo-0:1.8.27-2.el8_4.1.x86_64",
"AppStream-8.4.0.Z.E4S:haproxy-debugsource-0:1.8.27-2.el8_4.1.ppc64le",
"AppStream-8.4.0.Z.E4S:haproxy-debugsource-0:1.8.27-2.el8_4.1.x86_64",
"AppStream-8.4.0.Z.TUS:haproxy-0:1.8.27-2.el8_4.1.src",
"AppStream-8.4.0.Z.TUS:haproxy-0:1.8.27-2.el8_4.1.x86_64",
"AppStream-8.4.0.Z.TUS:haproxy-debuginfo-0:1.8.27-2.el8_4.1.x86_64",
"AppStream-8.4.0.Z.TUS:haproxy-debugsource-0:1.8.27-2.el8_4.1.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:10271"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"AppStream-8.4.0.Z.AUS:haproxy-0:1.8.27-2.el8_4.1.src",
"AppStream-8.4.0.Z.AUS:haproxy-0:1.8.27-2.el8_4.1.x86_64",
"AppStream-8.4.0.Z.AUS:haproxy-debuginfo-0:1.8.27-2.el8_4.1.x86_64",
"AppStream-8.4.0.Z.AUS:haproxy-debugsource-0:1.8.27-2.el8_4.1.x86_64",
"AppStream-8.4.0.Z.E4S:haproxy-0:1.8.27-2.el8_4.1.ppc64le",
"AppStream-8.4.0.Z.E4S:haproxy-0:1.8.27-2.el8_4.1.src",
"AppStream-8.4.0.Z.E4S:haproxy-0:1.8.27-2.el8_4.1.x86_64",
"AppStream-8.4.0.Z.E4S:haproxy-debuginfo-0:1.8.27-2.el8_4.1.ppc64le",
"AppStream-8.4.0.Z.E4S:haproxy-debuginfo-0:1.8.27-2.el8_4.1.x86_64",
"AppStream-8.4.0.Z.E4S:haproxy-debugsource-0:1.8.27-2.el8_4.1.ppc64le",
"AppStream-8.4.0.Z.E4S:haproxy-debugsource-0:1.8.27-2.el8_4.1.x86_64",
"AppStream-8.4.0.Z.TUS:haproxy-0:1.8.27-2.el8_4.1.src",
"AppStream-8.4.0.Z.TUS:haproxy-0:1.8.27-2.el8_4.1.x86_64",
"AppStream-8.4.0.Z.TUS:haproxy-debuginfo-0:1.8.27-2.el8_4.1.x86_64",
"AppStream-8.4.0.Z.TUS:haproxy-debugsource-0:1.8.27-2.el8_4.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "haproxy: untrimmed URI fragments may lead to exposure of confidential data on static servers"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…