Skip to main content

Haproxy CVE-2023-45539

HIGH
Improper Encoding or Escaping of Output (CWE-116)
2023-11-28 cve@mitre.org
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Nov 28, 2023 - 20:15 nvd
HIGH 8.2

DescriptionNVD

HAProxy before 2.8.2 accepts

as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.

AnalysisAI

HAProxy before 2.8.2 accepts

as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-116. HAProxy before 2.8.2 accepts

as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server. Affected products include: Haproxy. Version information: before 2.8.2.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2016-5360 HIGH
7.5 Jun 30

HAproxy 1.6.x before 1.6.6, when a deny comes from a reqdeny rule, allows remote attackers to cause a denial of service

CVE-2021-40346 HIGH POC
7.5 Sep 08

An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request

CVE-2019-18277 HIGH POC
7.5 Oct 23

A flaw was found in HAProxy before 2.0.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no

CVE-2019-14241 HIGH POC
7.5 Jul 23

HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) via vectors related to htx_manage_client_

CVE-2023-40225 HIGH POC
7.2 Aug 10

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2

CVE-2019-8953 MEDIUM POC
6.1 Feb 20

The HAProxy package before 0.59_16 for pfSense has XSS via the desc (aka Description) or table_actionsaclN parameter, re

CVE-2019-19330 CRITICAL
9.8 Nov 27

The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd

CVE-2023-25725 CRITICAL
9.1 Feb 14

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situatio

CVE-2026-55203 CRITICAL
9.0 Jun 18

FastCGI framing desynchronization in HAProxy through 3.4.0 stems from a 16-bit integer overflow in the fcgi_conn demux r

CVE-2014-6269 MEDIUM POC
5.0 Sep 30

Multiple integer overflows in the http_request_forward_body function in proto_http.c in HAProxy 1.5-dev23 before 1.5.4 a

CVE-2020-11100 HIGH
8.8 Apr 02

In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can w

CVE-2026-55204 HIGH
8.7 Jun 18

Denial of service in HAProxy through 3.4.0 allows remote unauthenticated attackers to crash worker processes by triggeri

Share

CVE-2023-45539 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy