Published: 17/08/2021 Updated: 07/11/2023

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 5.3 | Impact Score: 1.4 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

An issue exists in HAProxy 2.0 prior to 2.0.24, 2.2 prior to 2.2.16, 2.3 prior to 2.3.13, and 2.4 prior to 2.4.3. An HTTP method name may contain a space followed by the name of a protected resource. It is possible that a server would interpret this as a request for that protected resource, such as in the "GET /admin? HTTP/1.1 /static/images HTTP/1.1" example.

Vulnerable Product	Search on Vulmon	Subscribe to Product
haproxy haproxy
debian debian linux 11.0
fedoraproject fedora 33
fedoraproject fedora 34

Several vulnerabilities were discovered in HAProxy, a fast and reliable load balancing reverse proxy, which can result in HTTP request smuggling By carefully crafting HTTP/2 requests, it is possible to smuggle another HTTP request to the backend selected by the HTTP/2 request With certain configurations, it allows an attacker to send an HTTP requ ...

Synopsis Important: Red Hat OpenShift GitOps security update Type/Severity Security Advisory: Important Topic An update for openshift-gitops-applicationset-container, openshift-gitops-container, openshift-gitops-kam-delivery-container, and openshift-gitops-operator-container is now available for Red Hat OpenShift GitOps 12 (GitOps v122)Re ...

Synopsis Moderate: Red Hat Advanced Cluster Management 2211 security updates and bug fixes Type/Severity Security Advisory: Moderate Topic Red Hat Advanced Cluster Management for Kubernetes 2211 General Availability release images, which provide one or more container updates and bug fixesRed Hat Product Security has rated this update as ...

A flaw was found in haproxy An input validation flaw when processing HTTP/2 requests causes haproxy to not ensure that the scheme and path portions of a URI have the expected characters This may cause specially crafted input to bypass implemented security restrictions The highest threat from this vulnerability is confidentiality (CVE-2021-3924 ...

An issue was discovered in HAProxy 20 before 2024, 22 before 2216, 23 before 2313, and 24 before 243 An HTTP method name may contain a space followed by the name of a protected resource It is possible that a server would interpret this as a request for that protected resource, such as in the &quot;GET /admin? HTTP/11 /static/imag ...

An issue was discovered in HAProxy before 243 An HTTP method name may contain a space followed by the name of a protected resource It is possible that a server would interpret this as a request for that protected resource, such as in the "GET /admin? HTTP/11 /static/images HTTP/11" example ...

NVD-CWE-noinfo https://www.debian.org/security/2021/dsa-4960 https://www.mail-archive.com/haproxy%40formilux.org/msg41041.html https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=89265224d314a056d77d974284802c1b8a0dc97f https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RPNY4WZIQUAUOCLIMUPC37AQWNXTWIQM/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ALECUZDIMT5FYGP6V6PVSI4BKVZTZWN/https://nvd.nist.gov https://www.debian.org/security/2021/dsa-4960

CVE-2021-39241

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect