Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2018-11469

Published: 25 May 2018

Incorrect caching of responses to requests including an Authorization header in HAProxy 1.8.0 through 1.8.9 (if cache enabled) allows attackers to achieve information disclosure via an unauthenticated remote request, related to the proto_http.c check_request_for_cacheability function.

Notes

AuthorNote
leosilva
issue was introduced in 1.8.0.
trusty, xenial and artful are not affected.

Priority

Medium

CVSS 3 base score: 5.9

Status

Package Release Status
haproxy
Launchpad, Ubuntu, Debian
artful Not vulnerable

bionic
Released (1.8.8-1ubuntu0.1)
precise Does not exist

trusty Does not exist
(trusty was not-affected)
upstream Needs triage

xenial Not vulnerable

Patches:
other: https://git.haproxy.org/?p=haproxy-1.8.git;a=commit;h=17514045e5d934dede62116216c1b016fe23dd06