CVE-2023-40225
Published: 10 August 2023
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.
Notes
| Author | Note |
|---|---|
| rodrigo-zaiden | affected content-length headers parses were added in v1.9, with HTX mode. legacy mode in v2.0 and before has the correct check. hence, Ubuntu releases older than focal are not affected. there is a followup commit to handle a specific corner case where leading zeroes on content-length are being preserved, and a bogus server could take it as a prefix, that being commit 22731762. upstream stated that the leading zeroes situation can still happen in versions older than v1.9, it could be addressed in v2.0+ (with HTX) but it is not feasible for older versions due to the way values are indexed. (more information on bug link) |
Mitigation
frontend can reject requests with empty content-length header with the
following rule
http-request deny if { hdr_len(content-length) 0 }
Priority
Status
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.2 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
References
- https://www.haproxy.org/download/2.6/src/CHANGELOG
- https://www.haproxy.org/download/2.7/src/CHANGELOG
- https://www.haproxy.org/download/2.8/src/CHANGELOG
- https://github.com/advisories/GHSA-xgq7-jp95-v2qv
- https://ubuntu.com/security/notices/USN-6294-1
- https://ubuntu.com/security/notices/USN-6294-2
- https://www.cve.org/CVERecord?id=CVE-2023-40225
- NVD
- Launchpad
- Debian