BIT-haproxy-2023-0836

BIT-haproxy-2023-0836 PUBLISHED CVSS 7.5 HIGH

An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGI_BEGIN_REQUEST record. Sensitive data may be disclosed to configured FastCGI backends in an unexpected way.

Risk Scores

CVSS 3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products

Vendor	Product	Versions
Bitnami	haproxy	2.1.0, 2.2.0, 2.3.0

Timeline

Mar 6, 2024 CVE Published
Apr 3, 2025 CVE Updated
Apr 30, 2026 Distribution Patch

References

https://git.haproxy.org/?p=haproxy.git%3Ba=commitdiff%3Bh=2e6bf0a url
https://www.debian.org/security/2023/dsa-5388 url
https://nvd.nist.gov/vuln/detail/CVE-2023-0836 url

Open in Interactive Console →