Main Vulnerability Database SB2020040170

SB2020040170 - Gentoo update for HAProxy

Published: April 1, 2020

Security Bulletin ID SB2020040170

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) CRLF injection (CVE-ID: CVE-2019-19330)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input when processing CRLF and NUL character in the HTTP request, while converting headers from HTTP/2 to HTTP/1. A remote attacker can send a specially crafted HTTP/2 request to the HAProxy and inject arbitrary HTTP headers. Successful exploitation of the vulnerability may allow an attacker to bypass certain security restrictions or perform spoofing attacks.

Remediation

Install update from vendor's website.

References

https://security.gentoo.org/
https://security.gentoo.org/glsa/202004-01