URI Parsing Vulnerability in HAProxy from HAProxy Technologies
CVE-2021-39240

7.5HIGH

Key Information:

Vendor

Haproxy

Status
Haproxy
Vendor
CVE Published:
17 August 2021

What is CVE-2021-39240?

An issue has been identified in HAProxy prior to certain versions where the scheme and path portions of a URI do not conform to expected character sets. This lack of validation can lead to discrepancies between the intended routing rules and the actual behavior observed by clients, particularly affecting the authority field on target HTTP/2 servers. This vulnerability could allow attackers to exploit routing inconsistencies to achieve unauthorized actions or access sensitive data.

References

https://www.mail-archive.com/haproxy%40formilux.org/msg41...
x_refsource_MISC
https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=a49...
x_refsource_MISC
https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=4b8...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.