HTTP Host Header Vulnerability in HAProxy by HAProxy Technologies
CVE-2021-39242

7.5HIGH

Key Information:

Vendor

Haproxy

Status
Haproxy
Vendor
CVE Published:
17 August 2021

What is CVE-2021-39242?

An issue in HAProxy versions prior to 2.2.16, 2.3.13, and 2.4.3 arises from how the software processes HTTP Host headers. Attackers can exploit this flaw by sending specially crafted requests that manipulate the Host header, leading to potential security risks through improper handling of the request's authority component. This may allow unauthorized access to resources or unintended behavior, necessitating immediate updates to affected versions.

References

https://www.mail-archive.com/haproxy%40formilux.org/msg41...
x_refsource_MISC
https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=b5d...
x_refsource_MISC
https://www.debian.org/security/2021/dsa-4960
vendor-advisoryx_refsource_DEBIAN

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.