CVE-2021-39240 Affecting haproxy package, versions <2.2.9-2+deb11u1


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.59% (79th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DEBIAN11-HAPROXY-1566773
  • published18 Aug 2021
  • disclosed17 Aug 2021

Introduced: 17 Aug 2021

CVE-2021-39240  (opens in a new tab)

How to fix?

Upgrade Debian:11 haproxy to version 2.2.9-2+deb11u1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream haproxy package and not the haproxy package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It does not ensure that the scheme and path portions of a URI have the expected characters. For example, the authority field (as observed on a target HTTP/2 server) might differ from what the routing rules were intended to achieve.

CVSS Scores

version 3.1