An issue exists in HAProxy 2.0 prior to 2.0.24, 2.2 prior to 2.2.16, 2.3 prior to 2.3.13, and 2.4 prior to 2.4.3. An HTTP method name may contain a space followed by the name of a protected resource. It is possible that a server would interpret this as a request for that protected resource, such as in the "GET /admin? HTTP/1.1 /static/images HTTP/1.1" example.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
haproxy haproxy |
||
debian debian linux 11.0 |
||
fedoraproject fedora 33 |
||
fedoraproject fedora 34 |