CVE-2024-53008

NameCVE-2024-53008
DescriptionInconsistent interpretation of HTTP requests ('HTTP Request/Response Smuggling') issue exists in HAProxy. If this vulnerability is exploited, a remote attacker may access a path that is restricted by ACL (Access Control List) set on the product. As a result, the attacker may obtain sensitive information.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
haproxy (PTS)jessie, jessie (lts)1.5.8-3+deb8u4vulnerable
stretch (security)1.7.5-2+deb9u1vulnerable
stretch (lts), stretch1.7.5-2+deb9u2vulnerable
buster (security), buster, buster (lts)1.8.19-1+deb10u5vulnerable
bullseye (security), bullseye2.2.9-2+deb11u6vulnerable
bookworm (security), bookworm2.6.12-1+deb12u1vulnerable
sid, trixie3.0.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
haproxysource(unstable)2.9.10-1

Notes

https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=fa8b221756076186315b6bbf17ef697ec1ef5695 (v2.6.19)
https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=94d74d24ec9c3710334ab2239b1996faab3ad01e (v2.6.19)
https://git.haproxy.org/?p=haproxy-2.8.git;a=commit;h=94d305eaffc83dff3f59f5c2a3fbeb4710efa39a (v2.8.11)
https://git.haproxy.org/?p=haproxy-2.8.git;a=commit;h=56ab17d34a32d9c15558c2c2d17b743e6d679cbd (v2.8.11)
https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=87fefebfbe3df218103502046a0871b235a48087 (v2.9.10)
https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=6748a47819c263d4631187b6f121b5344ab50d57 (v2.9.10)
https://git.haproxy.org/?p=haproxy-3.0.git;a=commit;h=47d13c68cf198467a94e85a1caa44484a1e2e75c (v3.0.3)
https://git.haproxy.org/?p=haproxy-3.0.git;a=commit;h=5ddc4004cb0c3c4ea4f4596577c85f004678e9c0 (v3.0.3)

Search for package or bug name: Reporting problems