CVE-2023-45539

NameCVE-2023-45539
DescriptionHAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3688-1, DSA-5590-1, ELA-1024-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
haproxy (PTS)jessie, jessie (lts)1.5.8-3+deb8u4fixed
stretch (security)1.7.5-2+deb9u1vulnerable
stretch (lts), stretch1.7.5-2+deb9u2fixed
buster (security), buster, buster (lts)1.8.19-1+deb10u5fixed
bullseye (security), bullseye2.2.9-2+deb11u6fixed
bookworm (security), bookworm2.6.12-1+deb12u1fixed
sid, trixie2.9.11-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
haproxysourcejessie1.5.8-3+deb8u4ELA-1024-1
haproxysourcestretch1.7.5-2+deb9u2ELA-1024-1
haproxysourcebuster1.8.19-1+deb10u5DLA-3688-1
haproxysourcebullseye2.2.9-2+deb11u6DSA-5590-1
haproxysourcebookworm2.6.12-1+deb12u1DSA-5590-1
haproxysource(unstable)2.6.15-1

Notes

https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html
https://github.com/haproxy/haproxy/commit/2eab6d354322932cfec2ed54de261e4347eca9a6 (v2.9-dev3)
https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=832b672eee54866c7a42a1d46078cc9ae0d544d9 (v2.6.15)
https://git.haproxy.org/?p=haproxy-2.2.git;a=commit;h=178cea76b1c9d9413afa6961b6a4576fcb5b26fa (v2.2.31)
for stretch & jessie, vulnerable code in src/proto_http.c

Search for package or bug name: Reporting problems