CVE-2023-0836

An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGIBEGINREQUEST record. Sensitive data may be disclosed to configured FastCGI backends in an unexpected way.

References

Affected packages

Git / git.haproxy.org/haproxy-2.2.git

Affected ranges

Type

GIT

Repo

https://git.haproxy.org/haproxy-2.2.git

Events

Introduced

3a00c915fd241fc398a080a11ccac9c5c46791ce

Fixed

2f51eeb60f7f07e76a3248ba9a0757236216aed3

Database specific

{
    "versions": [
        {
            "introduced": "2.2.0"
        },
        {
            "fixed": "2.2.27"
        }
    ]
}

Type

GIT

Repo

https://git.haproxy.org/haproxy-2.4.git

Events

Introduced

6cbbecf09734aeb5fa8bb88f36f06a6f6d35e813

Last affected

4c20ccb302a648bcf28a2f1879c315be4029fafa

Database specific

{
    "versions": [
        {
            "introduced": "2.4.0"
        },
        {
            "last_affected": "2.4.21"
        }
    ]
}

Type

GIT

Repo

https://github.com/haproxy/haproxy

Events

Introduced

f2e0833f16aa8c09e1c7001ff55aac4f13c643b7

Last affected

b4d0cd02c14d4db1cf54b0bd8ee328fb198553f3

Introduced

a1efc048bf8a5e14466dbe7317e73117e8d66176

Last affected

026fef98a014b9860f7058eae437ff0a11c78e20

Introduced

Last affected

e54b43af1ec9dc656c04b09118583cb3c2ce56fa

Introduced

Last affected

1c0a722a83e7c45456a2b82c15889ab9ab5c4948

Introduced

Last affected

437fd289f2e32e56498d2d4da63852d483f284ef

Database specific

{
    "versions": [
        {
            "introduced": "2.5.0"
        },
        {
            "last_affected": "2.5.11"
        },
        {
            "introduced": "2.6.0"
        },
        {
            "last_affected": "2.6.8"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.1.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.3.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.7.0"
        }
    ]
}

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.1.0

v1.1.1

v1.1.10

v1.1.11

v1.1.12

v1.1.13

v1.1.14

v1.1.15

v1.1.16

v1.1.17

v1.1.18

v1.1.19

v1.1.2

v1.1.20

v1.1.21

v1.1.22

v1.1.23

v1.1.24

v1.1.25

v1.1.26

v1.1.27

v1.1.3

v1.1.4

v1.1.5

v1.1.6

v1.1.7

v1.1.8

v1.1.9

v1.2.0

v1.2.1

v1.2.1-pre1

v1.2.1-pre2

v1.2.1-pre3

v1.2.10

v1.2.10.1

v1.2.11

v1.2.11.1

v1.2.12

v1.2.13

v1.2.13.1

v1.2.14

v1.2.2

v1.2.3

v1.2.4

v1.2.5

v1.2.5-pre1

v1.2.5-pre2

v1.2.5-pre3

v1.2.5-pre4

v1.2.5.1

v1.2.5.2

v1.2.6

v1.2.6-pre4

v1.2.6-pre5

v1.2.7

v1.2.7.1

v1.2.7rc

v1.2.8

v1.2.9

v1.3.0

v1.3.1

v1.3.10

v1.3.10.1

v1.3.10.2

v1.3.11

v1.3.11.1

v1.3.11.2

v1.3.11.3

v1.3.11.4

v1.3.12

v1.3.13

v1.3.14

v1.3.15

v1.3.16

v1.3.16-rc1

v1.3.16-rc2

v1.3.17

v1.3.18

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.3.6

v1.3.6.1

v1.3.7

v1.3.8

v1.3.8.1

v1.3.8.2

v1.3.9

v1.4-dev0

v1.4-dev1

v1.4-dev2

v1.4-dev3

v1.4-dev4

v1.4-dev5

v1.4-dev6

v1.4-dev7

v1.4-dev8

v1.4-rc1

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.4.6

v1.5-dev10

v1.5-dev12

v1.5-dev13

v1.5-dev14

v1.5-dev15

v1.5-dev16

v1.5-dev17

v1.5-dev18

v1.5-dev19

v1.5-dev20

v1.5-dev21

v1.5-dev22

v1.5-dev23

v1.5-dev24

v1.5-dev25

v1.5-dev26

v1.5-dev8

v1.5-dev9

v1.5.0

v1.6-dev0

v1.6-dev1

v1.6-dev2

v1.6-dev3

v1.6-dev4

v1.6-dev5

v1.6-dev6

v1.6-dev7

v1.6.0

v1.7-dev0

v1.7-dev1

v1.7-dev2

v1.7-dev3

v1.7-dev4

v1.7-dev5

v1.7-dev6

v1.7.0

v1.8-dev0

v1.8-dev1

v1.8-dev2

v1.8-dev3

v1.8-rc1

v1.8-rc2

v1.8-rc3

v1.8-rc4

v1.8.0

v1.9-dev0

v1.9-dev1

v1.9-dev10

v1.9-dev11

v1.9-dev2

v1.9-dev3

v1.9-dev4

v1.9-dev5

v1.9-dev6

v1.9-dev7

v1.9-dev8

v1.9-dev9

v1.9.0

v2.*

v2.0-dev0

v2.0-dev1

v2.0-dev2

v2.0-dev3

v2.0-dev4

v2.0-dev5

v2.0-dev6

v2.0-dev7

v2.0.0

v2.1-dev0

v2.1-dev1

v2.1-dev2

v2.1-dev3

v2.1-dev4

v2.1-dev5

v2.1.0

v2.2-dev0

v2.2-dev1

v2.2-dev10

v2.2-dev11

v2.2-dev12

v2.2-dev2

v2.2-dev3

v2.2-dev4

v2.2-dev5

v2.2-dev6

v2.2-dev7

v2.2-dev8

v2.2-dev9

v2.2.0

v2.2.1

v2.2.10

v2.2.11

v2.2.12

v2.2.13

v2.2.14

v2.2.15

v2.2.16

v2.2.17

v2.2.18

v2.2.19

v2.2.2

v2.2.20

v2.2.21

v2.2.22

v2.2.23

v2.2.24

v2.2.25

v2.2.26

v2.2.3

v2.2.4

v2.2.5

v2.2.6

v2.2.7

v2.2.8

v2.2.9

v2.3-dev0

v2.3-dev1

v2.3-dev2

v2.3-dev3

v2.3-dev4

v2.3-dev5

v2.3-dev6

v2.3-dev7

v2.3-dev8

v2.3-dev9

v2.3.0

v2.4-dev0

v2.4-dev1

v2.4-dev10

v2.4-dev11

v2.4-dev12

v2.4-dev13

v2.4-dev14

v2.4-dev15

v2.4-dev16

v2.4-dev17

v2.4-dev18

v2.4-dev19

v2.4-dev2

v2.4-dev3

v2.4-dev4

v2.4-dev5

v2.4-dev6

v2.4-dev7

v2.4-dev8

v2.4-dev9

v2.4.0

v2.4.1

v2.4.10

v2.4.11

v2.4.12

v2.4.13

v2.4.14

v2.4.15

v2.4.16

v2.4.17

v2.4.18

v2.4.19

v2.4.2

v2.4.20

v2.4.21

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.4.9

v2.5-dev0

v2.5-dev1

v2.5-dev10

v2.5-dev11

v2.5-dev2

v2.5-dev3

v2.5-dev4

v2.5-dev5

v2.5-dev6

v2.5-dev7

v2.5-dev8

v2.5-dev9

v2.5.0

v2.6-dev0

v2.6-dev1

v2.6-dev2

v2.6-dev3

v2.6-dev4

v2.6-dev5

v2.6-dev6

v2.6-dev7

v2.6-dev8

v2.6.0

v2.7-dev0

v2.7-dev1

v2.7-dev10

v2.7-dev2

v2.7-dev3

v2.7-dev4

v2.7-dev5

v2.7-dev6

v2.7-dev7

v2.7-dev8

v2.7-dev9

v2.7.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-0836.json"