Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2023-40225

Published: 10 August 2023

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.

Notes

AuthorNote
rodrigo-zaiden
affected content-length headers parses were added in
v1.9, with HTX mode. legacy mode in v2.0 and before has the correct check.
hence, Ubuntu releases older than focal are not affected.
there is a followup commit to handle a specific corner
case where leading zeroes on content-length are being preserved, and a
bogus server could take it as a prefix, that being commit 22731762.
upstream stated that the leading zeroes situation can still happen in
versions older than v1.9, it could be addressed in v2.0+ (with HTX) but
it is not feasible for older versions due to the way values are indexed.
(more information on bug link)

Mitigation

frontend can reject requests with empty content-length header with the
following rule
 http-request deny if { hdr_len(content-length) 0 }

Priority

Medium

Cvss 3 Severity Score

7.2

Score breakdown

Severity score breakdown

Parameter Value
Base score 7.2
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Changed
Confidentiality Low
Integrity impact Low
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N