Ubuntu update for haproxy



Published: 2024-07-23
Risk High
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2023-45539
CVE-2017-14189
CWE-ID CWE-20
CWE-287
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Ubuntu
Operating systems & Components / Operating system

haproxy (Ubuntu package)
Operating systems & Components / Operating system package or component

Vendor Canonical Ltd.

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU83902

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-45539

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input when processing the "#" character in the URI. A remote attacker can pass specially crafted URI to the application and view otherwise restricted file or potentially manipulate data.

Mitigation

Update the affected package haproxy to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

haproxy (Ubuntu package): before Ubuntu Pro

External links

http://ubuntu.com/security/notices/USN-6530-2


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper authentication

EUVDB-ID: #VU9506

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-14189

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in web UI of Fortinet FortiWebManager. A remote attacker can login as administrator with arbitrary password.

Mitigation

Update the affected package haproxy to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 18.04

haproxy (Ubuntu package): before Ubuntu Pro

External links

http://ubuntu.com/security/notices/USN-6530-2


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###