CVE-2023-40225 — haproxy - security update

Description

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.

How to fix CVE-2023-40225

To remediate CVE-2023-40225, upgrade the affected package to a fixed version below.

—upgrade to 2.0.33 or later
—upgrade to 2.2.9-2+deb11u6 or later
—upgrade to 2.2.9-2+deb11u6 or later

Is CVE-2023-40225 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 2.0.33, >= 2.2.0, < 2.2.31, >= 2.4.0, < 2.4.24, >= 2.5.0, < 2.6.15, >= 2.7.0, < 2.7.10, >= 2.8.0, < 2.8.2
from 0, < 2.2.9-2+deb11u6
from 0, < 2.2.9-2+deb11u6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

References (8)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-40225
WEBcwe.mitre.org/data/definitions/436.html
WEBgithub.com/haproxy/haproxy/commit/6492f1f29d738457ea9f382aca54537f35f9d856
WEBgithub.com/haproxy/haproxy/issues/2237