fkie_cve-2019-18277
Vulnerability from fkie_nvd
Published
2019-10-23 14:15
Modified
2024-11-21 04:32
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the "chunked" value were not being correctly rejected. The impact was limited but if combined with the "http-reuse always" setting, it could be used to help construct an HTTP request smuggling attack against a vulnerable component employing a lenient parser that would ignore the content-length header as soon as it saw a transfer-encoding one (even if not entirely valid according to the specification).
References
cve@mitre.orghttp://lists.opensuse.org/opensuse-security-announce/2019-12/msg00016.html
cve@mitre.orghttp://lists.opensuse.org/opensuse-security-announce/2019-12/msg00019.html
cve@mitre.orghttps://git.haproxy.org/?p=haproxy-2.0.git%3Ba=commit%3Bh=196a7df44d8129d1adc795da020b722614d6a581
cve@mitre.orghttps://lists.debian.org/debian-lts-announce/2022/05/msg00045.html
cve@mitre.orghttps://nathandavison.com/blog/haproxy-http-request-smugglingExploit, Third Party Advisory
cve@mitre.orghttps://usn.ubuntu.com/4174-1/
cve@mitre.orghttps://www.mail-archive.com/haproxy%40formilux.org/msg34926.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00016.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00019.html
af854a3a-2127-422b-91ae-364da2661108https://git.haproxy.org/?p=haproxy-2.0.git%3Ba=commit%3Bh=196a7df44d8129d1adc795da020b722614d6a581
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2022/05/msg00045.html
af854a3a-2127-422b-91ae-364da2661108https://nathandavison.com/blog/haproxy-http-request-smugglingExploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://usn.ubuntu.com/4174-1/
af854a3a-2127-422b-91ae-364da2661108https://www.mail-archive.com/haproxy%40formilux.org/msg34926.html
Impacted products
Vendor Product Version
haproxy haproxy *


To clipboard 

{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "B76D46D9-8507-4E75-AFCD-D8BADBC38ADC",
                     versionEndExcluding: "2.0.6",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the \"chunked\" value were not being correctly rejected. The impact was limited but if combined with the \"http-reuse always\" setting, it could be used to help construct an HTTP request smuggling attack against a vulnerable component employing a lenient parser that would ignore the content-length header as soon as it saw a transfer-encoding one (even if not entirely valid according to the specification).",
      },
      {
         lang: "es",
         value: "Se encontró un fallo en HAProxy versiones anteriores a 2.0.6. En el modo legacy, los mensajes caracterizados por un encabezado de codificación de transferencia que no tenía el valor \"chunked\" no habían sido rechazados correctamente. El impacto fue limitado, pero si se combina con la configuración \"http-reuse always\", podría usarse para ayudar a construir un ataque de tráfico no autorizado de peticiones HTTP contra un componente vulnerable que emplee un analizador permisivo que ignore el encabezado de longitud de contenido tan pronto como se visualice uno de codificación de transferencia (incluso si no es completamente válido de acuerdo con la especificación).",
      },
   ],
   id: "CVE-2019-18277",
   lastModified: "2024-11-21T04:32:57.377",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "MEDIUM",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "NONE",
               baseScore: 4.3,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
               version: "2.0",
            },
            exploitabilityScore: 8.6,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 7.5,
               baseSeverity: "HIGH",
               confidentialityImpact: "NONE",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2019-10-23T14:15:10.557",
   references: [
      {
         source: "cve@mitre.org",
         url: "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00016.html",
      },
      {
         source: "cve@mitre.org",
         url: "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00019.html",
      },
      {
         source: "cve@mitre.org",
         url: "https://git.haproxy.org/?p=haproxy-2.0.git%3Ba=commit%3Bh=196a7df44d8129d1adc795da020b722614d6a581",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.debian.org/debian-lts-announce/2022/05/msg00045.html",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Exploit",
            "Third Party Advisory",
         ],
         url: "https://nathandavison.com/blog/haproxy-http-request-smuggling",
      },
      {
         source: "cve@mitre.org",
         url: "https://usn.ubuntu.com/4174-1/",
      },
      {
         source: "cve@mitre.org",
         url: "https://www.mail-archive.com/haproxy%40formilux.org/msg34926.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00016.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00019.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://git.haproxy.org/?p=haproxy-2.0.git%3Ba=commit%3Bh=196a7df44d8129d1adc795da020b722614d6a581",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.debian.org/debian-lts-announce/2022/05/msg00045.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
            "Third Party Advisory",
         ],
         url: "https://nathandavison.com/blog/haproxy-http-request-smuggling",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://usn.ubuntu.com/4174-1/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://www.mail-archive.com/haproxy%40formilux.org/msg34926.html",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-444",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.