VDB
BIT-haproxy-2023-40225
BIT-haproxy-2023-40225
PUBLISHED
CVSS 7.199999809265137 HIGH
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.
Risk Scores
CVSS 3.1
7.199999809265137
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | haproxy | 0, 2.2.0, 2.4.0 |
Timeline
- Mar 6, 2024 CVE Published
- Apr 3, 2025 CVE Updated
References
- https://cwe.mitre.org/data/definitions/436.html url
- https://github.com/haproxy/haproxy/commit/6492f1f29d738457ea9f382aca54537f35f9d856 url
- https://github.com/haproxy/haproxy/issues/2237 url
- https://www.haproxy.org/download/2.6/src/CHANGELOG url
- https://www.haproxy.org/download/2.7/src/CHANGELOG url
- https://www.haproxy.org/download/2.8/src/CHANGELOG url
- https://nvd.nist.gov/vuln/detail/CVE-2023-40225 url