Information Leak Vulnerability in HAProxy Versions Prior to 2.4.21 and Others
CVE-2023-0836

7.5HIGH

Key Information:

Vendor: Haproxy
Status: Haproxy
Vendor: CVE Published:; 29 March 2023

What is CVE-2023-0836?

An information leak vulnerability exists in specific versions of HAProxy due to uninitialized bytes in the connection buffer when encoding the FCGI_BEGIN_REQUEST record. This flaw can lead to unintended disclosure of sensitive data to FastCGI backends, which could be exploited by attackers. It is crucial for users running affected versions of HAProxy to upgrade to the latest fixed releases to mitigate this risk.

Affected Version(s)

HAProxy HAProxy 2.8, HAProxy 2.7.1, HAProxy 2.6.8, HAProxy 2.5.11, HAProxy 2.4.21, HAProxy 2.2.27

References

https://git.haproxy.org/?p=haproxy.git%3Ba=commitdiff%3Bh...

https://www.debian.org/security/2023/dsa-5388

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 29, 2023
Vulnerability Reserved
Feb 14, 2023

Haproxy

What is CVE-2023-0836?

Affected Version(s)

References

CVSS V3.1

Timeline