CVE-2019-19330
haproxy - security update
9.8
CRITICAL
CVSS 3.1
EPSS 1.1%
Description
The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0), aka Intermediary Encapsulation Attacks.
How to fix CVE-2019-19330
To remediate CVE-2019-19330, upgrade the affected package to a fixed version below.
- Alpine/haproxy—upgrade to 1.8.23 or later
- —upgrade to 2.0.10-1 or later
- —upgrade to 1.8.19-1+deb10u1 or later
Is CVE-2019-19330 being exploited?
Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 1.8.23
- from 0, < 2.0.10-1
- from 0, < 1.8.19-1+deb10u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |