#VU23084 CRLF injection in HAProxy - CVE-2019-19330
Published: November 28, 2019
Vulnerability identifier: #VU23084
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-19330
CWE-ID: CWE-93
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
HAProxy
HAProxy
Software vendor:
HAProxy
HAProxy
Description
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to insufficient validation of user-supplied input when processing CRLF and NUL character in the HTTP request, while converting headers from HTTP/2 to
HTTP/1. A remote attacker can send a specially crafted HTTP/2 request to the HAProxy and inject arbitrary HTTP headers. Successful exploitation of the vulnerability may allow an attacker to bypass certain security restrictions or perform spoofing attacks.
Remediation
Install updates from vendor's website.
External links
- https://git.haproxy.org/?p=haproxy.git;a=commit;h=146f53ae7e97dbfe496d0445c2802dd0a30b0878
- https://git.haproxy.org/?p=haproxy.git;a=commit;h=54f53ef7ce4102be596130b44c768d1818570344
- https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d461515551b95daae20954b3053ce87e
- https://tools.ietf.org/html/rfc7540#section-10.3