Arbitrary Code Injection Affecting haproxy package, versions <2.0.10-1
Threat Intelligence
EPSS
2.16% (90th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN11-HAPROXY-536013
- published 27 Nov 2019
- disclosed 27 Nov 2019
Introduced: 27 Nov 2019
CVE-2019-19330 Open this link in a new tabHow to fix?
Upgrade Debian:11 haproxy to version 2.0.10-1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream haproxy package and not the haproxy package as distributed by Debian.
See How to fix? for Debian:11 relevant fixed versions and status.
The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0), aka Intermediary Encapsulation Attacks.
References
- https://security-tracker.debian.org/tracker/CVE-2019-19330
- https://seclists.org/bugtraq/2019/Nov/45
- https://www.debian.org/security/2019/dsa-4577
- https://security.gentoo.org/glsa/202004-01
- https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d461515551b95daae20954b3053ce87e
- https://git.haproxy.org/?p=haproxy.git;a=commit;h=146f53ae7e97dbfe496d0445c2802dd0a30b0878
- https://git.haproxy.org/?p=haproxy.git;a=commit;h=54f53ef7ce4102be596130b44c768d1818570344
- https://tools.ietf.org/html/rfc7540#section-10.3
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-19330
- https://usn.ubuntu.com/4212-1/
- https://git.haproxy.org/?p=haproxy-2.0.git%3Ba=commit%3Bh=ac198b92d461515551b95daae20954b3053ce87e
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=146f53ae7e97dbfe496d0445c2802dd0a30b0878
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=54f53ef7ce4102be596130b44c768d1818570344
CVSS Scores
version 3.1