HAProxy under attack: Remote Denial of Service vulnerability affects multiple versions
CVE-2024-45506

7.5HIGH

Key Information:

Vendor: Haproxy
Status: Haproxy
Vendor: CVE Published:; 4 September 2024

What is CVE-2024-45506?

HAProxy versions 2.9.x prior to 2.9.10, 3.0.x prior to 3.0.4, and 3.1.x up to and including 3.1-dev6 contain a vulnerability that allows for a remote denial of service through the HTTP/2 zero-copy forwarding process. This vulnerability can be exploited under specific conditions, impacting the availability of services utilizing the affected versions. Notably, the flaw has already been exploited in the wild in 2024.

References

https://www.haproxy.org/

https://www.haproxy.org/download/3.1/src/CHANGELOG

https://www.mail-archive.com/haproxy%40formilux.org/msg45...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 4, 2024

Haproxy

What is CVE-2024-45506?

References

CVSS V3.1

Timeline