Integer Overflow Vulnerability in HAProxy Versions 2.0 to 2.5
CVE-2021-40346

7.5HIGH

Key Information:

Vendor: Haproxy
Status: Haproxy
Vendor: CVE Published:; 8 September 2021

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 92%

What is CVE-2021-40346?

An integer overflow vulnerability is present in HAProxy versions 2.0 through 2.5. This flaw is associated with the htx_add_header function, enabling attackers to exploit the vulnerability to conduct an HTTP request smuggling attack. By bypassing all configured HTTP request Access Control Lists (ACLs) in HAProxy, the attacker may gain unauthorized access or manipulate HTTP requests, posing significant risks to web application security.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-40346
Created by knqyf263

CVE-2021-40346-POC
Created by donky16

HAProxy_CVE-2021-40346
Created by Vulnmachines

References

https://www.mail-archive.com/haproxy%40formilux.org

x_refsource_MISC

https://git.haproxy.org/?p=haproxy.git

x_refsource_MISC

https://www.debian.org/security/2021/dsa-4968

vendor-advisoryx_refsource_DEBIAN

EPSS Score

92% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jan 24, 2022
👾
Exploit known to exist
Jan 24, 2022
Vulnerability published
Sep 8, 2021
Vulnerability Reserved
Aug 31, 2021

Haproxy

Badges

What is CVE-2021-40346?

Exploit Proof of Concept (PoC)

References

EPSS Score

CVSS V3.1

Timeline