HAProxy 2.9.x before 2.9.10, 3.0.x before 3.0.4, and 3.1.x through 3.1-dev6 allows a remote denial of service for HTTP/2 zero-copy forwarding (h2_send loop) under a certain set of conditions, as exploited in the wild in 2024.
{ "binaries": [ { "binary_name": "haproxy", "binary_version": "2.0.33-0ubuntu0.1" }, { "binary_name": "haproxy-dbgsym", "binary_version": "2.0.33-0ubuntu0.1" }, { "binary_name": "haproxy-doc", "binary_version": "2.0.33-0ubuntu0.1" }, { "binary_name": "vim-haproxy", "binary_version": "2.0.33-0ubuntu0.1" } ], "availability": "No subscription required" }
{ "binaries": [ { "binary_name": "haproxy", "binary_version": "2.4.24-0ubuntu0.22.04.1" }, { "binary_name": "haproxy-dbgsym", "binary_version": "2.4.24-0ubuntu0.22.04.1" }, { "binary_name": "haproxy-doc", "binary_version": "2.4.24-0ubuntu0.22.04.1" }, { "binary_name": "vim-haproxy", "binary_version": "2.4.24-0ubuntu0.22.04.1" } ], "availability": "No subscription required" }
{ "binaries": [ { "binary_name": "haproxy", "binary_version": "2.8.5-1ubuntu3" }, { "binary_name": "haproxy-dbgsym", "binary_version": "2.8.5-1ubuntu3" }, { "binary_name": "haproxy-doc", "binary_version": "2.8.5-1ubuntu3" }, { "binary_name": "vim-haproxy", "binary_version": "2.8.5-1ubuntu3" } ], "availability": "No subscription required" }