Все бюллетени/p10_e2k/ALT-PU-2023-3789-1
ALT-PU-2023-3789-1

Обновление пакета haproxy в ветке p10_e2k

Версия2.6.13-alt1.1
Задание#0
Опубликовано2023-06-07
Макс. серьёзностьCRITICAL
Серьёзность:

Закрытые проблемы (4)

BDU:2023-00758
HIGH7.5

Уязвимость серверного программного обеспечения HAProxy, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю выполнять атаку «контрабанда HTTP-запросов»

Опубликовано: 2023-02-17Изменено: 2025-03-05
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 2.0ВЫСОКАЯ 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:C/A:N
Ссылки
CVE-2023-0836
HIGH7.5

An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGI_BEGIN_REQUEST record. Sensitive data may be disclosed to configured FastCGI backends in an unexpected way.

Опубликовано: 2023-03-29Изменено: 2025-02-18
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Ссылки
CVE-2023-25725
CRITICAL9.1

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.

Опубликовано: 2023-02-14Изменено: 2025-03-20
CVSS 3.xКРИТИЧЕСКАЯ 9.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Ссылки
CVE-2023-25950
HIGH7.3

HTTP request/response smuggling vulnerability in HAProxy version 2.7.0, and 2.6.1 to 2.6.7 allows a remote attacker to alter a legitimate user's request. As a result, the attacker may obtain sensitive information or cause a denial-of-service (DoS) condition.

Опубликовано: 2023-04-11Изменено: 2025-02-11
CVSS 3.xВЫСОКАЯ 7.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Ссылки