CVE-2013-2175

Description

HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdr_ip or other "hdr_*" functions with a negative occurrence count, allows remote attackers to cause a denial of service (negative array index usage and crash) via an HTTP header with a certain number of values, related to the MAX_HDR_HISTORY variable.

How to fix CVE-2013-2175

To remediate CVE-2013-2175, upgrade the affected package to a fixed version below.

• Debian/haproxy—upgrade to 1.4.24-1 or later

Is CVE-2013-2175 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.4.24-1

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-2175