CVE-2022-0711

A flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header. This flaw could allow an attacker to send crafted HTTP response packets which lead to an infinite loop, eventually resulting in a denial of service condition. The highest threat from this vulnerability is availability.

References

Affected packages

Git / git.haproxy.org/haproxy-2.2.git

Affected ranges

Type

GIT

Repo

https://git.haproxy.org/haproxy-2.2.git

Events

Introduced

3a00c915fd241fc398a080a11ccac9c5c46791ce

Fixed

d8e6e4b63fc323c98f9bdd6d160a20bce0d02770

Database specific

{
    "versions": [
        {
            "introduced": "2.2.0"
        },
        {
            "fixed": "2.2.21"
        }
    ]
}

Type

GIT

Repo

https://git.haproxy.org/haproxy-2.3.git

Events

Introduced

1c0a722a83e7c45456a2b82c15889ab9ab5c4948

Fixed

55c4c21958ebeb5ecb23aa404bafc5d558e4a0d7

Database specific

{
    "versions": [
        {
            "introduced": "2.3.0"
        },
        {
            "fixed": "2.3.18"
        }
    ]
}

Type

GIT

Repo

https://github.com/haproxy/haproxy

Events

Introduced

6cbbecf09734aeb5fa8bb88f36f06a6f6d35e813

Fixed

09cc669afb35fa362c9e42ab42c85f21cbdecd9d

Fixed

bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8

Database specific

{
    "versions": [
        {
            "introduced": "2.4.0"
        },
        {
            "fixed": "2.4.13"
        }
    ]
}

Affected versions

v2.*

v2.2.0

v2.2.1

v2.2.10

v2.2.11

v2.2.12

v2.2.13

v2.2.14

v2.2.15

v2.2.16

v2.2.17

v2.2.18

v2.2.19

v2.2.2

v2.2.20

v2.2.3

v2.2.4

v2.2.5

v2.2.6

v2.2.7

v2.2.8

v2.2.9

v2.3.0

v2.3.1

v2.3.10

v2.3.11

v2.3.12

v2.3.13

v2.3.14

v2.3.15

v2.3.16

v2.3.17

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v2.4.0

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "4.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "11.0"
            }
        ]
    }
]

vanir_signatures

[
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2022-0711-639036d4",
        "target": {
            "file": "src/http_ana.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "337496346880649468093710429442135291026",
                "100471815415007832791994411618091627129",
                "319132254654960409829937430810655726392",
                "322735852155913190660686993841847730435"
            ]
        },
        "signature_version": "v1",
        "source": "https://github.com/haproxy/haproxy/commit/bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "id": "CVE-2022-0711-b396e60b",
        "target": {
            "file": "src/http_ana.c",
            "function": "http_manage_server_side_cookies"
        },
        "digest": {
            "length": 3914.0,
            "function_hash": "98329939681248038118576851848161614349"
        },
        "signature_version": "v1",
        "source": "https://github.com/haproxy/haproxy/commit/bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8"
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-0711.json"