VDB
DEBIAN-CVE-2023-40225
DEBIAN-CVE-2023-40225
PUBLISHED
CVSS 7.199999809265137 HIGH
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.
Risk Scores
CVSS 3.1
7.199999809265137
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:12 | haproxy | 2.6.12-1, 2.6.12-1, 0 |
| Debian:14 | haproxy | 0, 0, 0 |
| Debian:13 | haproxy | 0, 0, 0 |
| Debian:11 | haproxy | 2.2.9-2, 2.2.9-2, 2.2.9-2 |
Timeline
- Aug 10, 2023 CVE Published
- Apr 28, 2026 CVE Updated