CRLF injection in HAProxy - CVE-2019-19330
Published: November 28, 2019
Vulnerability identifier: #VU23084
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-19330
CWE-ID: CWE-93
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: HAProxy
Affected software:
HAProxy
HAProxy
Detailed vulnerability description
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to insufficient validation of user-supplied input when processing CRLF and NUL character in the HTTP request, while converting headers from HTTP/2 to
HTTP/1. A remote attacker can send a specially crafted HTTP/2 request to the HAProxy and inject arbitrary HTTP headers. Successful exploitation of the vulnerability may allow an attacker to bypass certain security restrictions or perform spoofing attacks.
How to mitigate CVE-2019-19330
Install updates from vendor's website.
Sources
- https://git.haproxy.org/?p=haproxy.git;a=commit;h=146f53ae7e97dbfe496d0445c2802dd0a30b0878
- https://git.haproxy.org/?p=haproxy.git;a=commit;h=54f53ef7ce4102be596130b44c768d1818570344
- https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d461515551b95daae20954b3053ce87e
- https://tools.ietf.org/html/rfc7540#section-10.3