Vulnerabilities > Haproxy

DATE CVE VULNERABILITY TITLE RISK
2021-09-08 CVE-2021-40346 Integer Overflow or Wraparound vulnerability in multiple products
An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs.
network
low complexity
haproxy debian CWE-190
5.0
2021-08-17 CVE-2021-39240 An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3.
network
low complexity
haproxy debian fedoraproject
5.0
2021-08-17 CVE-2021-39241 An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3.
network
low complexity
haproxy debian fedoraproject
5.0
2021-08-17 CVE-2021-39242 Improper Handling of Exceptional Conditions vulnerability in multiple products
An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3.
network
low complexity
haproxy debian fedoraproject CWE-755
5.0
2020-04-02 CVE-2020-11100 Out-of-bounds Write vulnerability in multiple products
In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution.
network
low complexity
haproxy debian redhat CWE-787
6.5
2019-11-27 CVE-2019-19330 Injection vulnerability in multiple products
The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0), aka Intermediary Encapsulation Attacks.
network
low complexity
haproxy canonical debian CWE-74
7.5
2019-10-23 CVE-2019-18277 HTTP Request Smuggling vulnerability in Haproxy
A flaw was found in HAProxy before 2.0.6.
network
haproxy CWE-444
4.3
2019-07-23 CVE-2019-14243 Improper Input Validation vulnerability in Haproxy Proxyprotocol
headerv2.go in mastercactapus proxyprotocol before 0.0.2, as used in the mastercactapus caddy-proxyprotocol plugin through 0.0.2 for Caddy, allows remote attackers to cause a denial of service (webserver panic and daemon crash) via a crafted HAProxy PROXY v2 request with truncated source/destination address data.
network
low complexity
haproxy CWE-20
5.0
2019-07-23 CVE-2019-14241 Infinite Loop vulnerability in Haproxy
HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) via vectors related to htx_manage_client_side_cookies in proto_htx.c.
network
low complexity
haproxy CWE-835
5.0
2019-05-09 CVE-2019-11323 Use of a Broken or Risky Cryptographic Algorithm vulnerability in Haproxy
HAProxy before 1.9.7 mishandles a reload with rotated keys, which triggers use of uninitialized, and very predictable, HMAC keys.
network
haproxy CWE-327
4.3