An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. An HTTP method name may contain a space followed by the name of a protected resource. It is possible that a server would interpret this as a request for that protected resource, such as in the "GET /admin? HTTP/1.1 /static/images HTTP/1.1" example.

An update of the haproxy package has been released.

The remote CentOS Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the haproxy-2.4.7-1.el9 build changelog.

  - An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It does not     ensure that the scheme and path portions of a URI have the expected characters. For example, the authority     field (as observed on a target HTTP/2 server) might differ from what the routing rules were intended to     achieve. (CVE-2021-39240)

  - An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before     2.4.3. An HTTP method name may contain a space followed by the name of a protected resource. It is     possible that a server would interpret this as a request for that protected resource, such as in the GET     /admin? HTTP/1.1 /static/images HTTP/1.1 example. (CVE-2021-39241)

  - An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead     to a situation with an attacker-controlled HTTP Host header, because a mismatch between Host and authority     is mishandled. (CVE-2021-39242)

  - An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform     an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs     and possibly other ACLs. (CVE-2021-40346)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of haproxy2 installed on the remote host is prior to 2.2.17-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2HAPROXY2-2023-005 advisory.

  - An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It does not     ensure that the scheme and path portions of a URI have the expected characters. For example, the authority     field (as observed on a target HTTP/2 server) might differ from what the routing rules were intended to     achieve. (CVE-2021-39240)

  - An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before     2.4.3. An HTTP method name may contain a space followed by the name of a protected resource. It is     possible that a server would interpret this as a request for that protected resource, such as in the GET     /admin? HTTP/1.1 /static/images HTTP/1.1 example. (CVE-2021-39241)

  - An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead     to a situation with an attacker-controlled HTTP Host header, because a mismatch between Host and authority     is mishandled. (CVE-2021-39242)

  - An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform     an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs     and possibly other ACLs. (CVE-2021-40346)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2022:0114 advisory.

    Red Hat OpenShift Container Platform is Red Hat's cloud computing     Kubernetes application platform solution designed for on-premise or private     cloud deployments.

    This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.41. See the following     advisory for the container images for this release:

    https://access.redhat.com/errata/RHBA-2022:0117

    Security Fix(es):

    * haproxy: an HTTP method name may contain a space followed by the name of     a protected resource (CVE-2021-39241)
    * haproxy: request smuggling attack or response splitting via duplicate     content-length header (CVE-2021-40346)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE     page(s) listed in the References section.

    All OpenShift Container Platform 4.7 users are advised to upgrade to these updated packages and images     when they are available in the appropriate release channel. To check for available updates, use the     OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at     https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-between-     minor.html#understanding-upgrade-channels_updating-cluster-between-minor

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2022:0024 advisory.

    Red Hat OpenShift Container Platform is Red Hat's cloud computing     Kubernetes application platform solution designed for on-premise or private     cloud deployments.

    This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.53. See the following     advisory for the container images for this release:

    https://access.redhat.com/errata/RHBA-2022:0025

    Security Fix(es):

    * haproxy: an HTTP method name may contain a space followed by the name of     a protected resource (CVE-2021-39241)
    * haproxy: request smuggling attack or response splitting via duplicate     content-length header (CVE-2021-40346)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE     page(s)     listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:4118 advisory.

  - haproxy: does not ensure that the scheme and path portions of a URI have the expected characters     (CVE-2021-39240)

  - haproxy: an HTTP method name may contain a space followed by the name of a protected resource     (CVE-2021-39241)

  - haproxy: it can lead to a situation with an attacker-controlled HTTP Host header because a mismatch     between Host and authority is mishandled (CVE-2021-39242)

  - haproxy: request smuggling attack or response splitting via duplicate content-length header     (CVE-2021-40346)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the haproxy package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before     2.4.3. An HTTP method name may contain a space followed by the name of a protected resource. It is     possible that a server would interpret this as a request for that protected resource, such as in the 'GET     /admin? HTTP/1.1 /static/images HTTP/1.1' example. (CVE-2021-39241)

  - An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead     to a situation with an attacker-controlled HTTP Host header, because a mismatch between Host and authority     is mishandled. (CVE-2021-39242)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-4960 advisory.

  - An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It does not     ensure that the scheme and path portions of a URI have the expected characters. For example, the authority     field (as observed on a target HTTP/2 server) might differ from what the routing rules were intended to     achieve. (CVE-2021-39240)

  - An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before     2.4.3. An HTTP method name may contain a space followed by the name of a protected resource. It is     possible that a server would interpret this as a request for that protected resource, such as in the GET     /admin? HTTP/1.1 /static/images HTTP/1.1 example. (CVE-2021-39241)

  - An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead     to a situation with an attacker-controlled HTTP Host header, because a mismatch between Host and authority     is mishandled. (CVE-2021-39242)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
203732	Photon OS 3.0: Haproxy PHSA-2023-3.0-0619	Nessus	PhotonOS Local Security Checks	medium
203247	Photon OS 4.0: Haproxy PHSA-2022-4.0-0263	Nessus	PhotonOS Local Security Checks	medium
191145	CentOS 9 : haproxy-2.4.7-1.el9	Nessus	CentOS Local Security Checks	high
181935	Amazon Linux 2 : haproxy2 (ALASHAPROXY2-2023-005)	Nessus	Amazon Linux Local Security Checks	high
156905	RHEL 7 / 8 : OpenShift Container Platform 4.7.41 (RHSA-2022:0114)	Nessus	Red Hat Local Security Checks	high
156716	RHEL 7 / 8 : OpenShift Container Platform 4.6.53 (RHSA-2022:0024)	Nessus	Red Hat Local Security Checks	high
155292	RHEL 7 / 8 : OpenShift Container Platform 4.9.6 packages and (RHSA-2021:4118)	Nessus	Red Hat Local Security Checks	high
155250	EulerOS 2.0 SP9 : haproxy (EulerOS-SA-2021-2712)	Nessus	Huawei Local Security Checks	high
155237	EulerOS 2.0 SP9 : haproxy (EulerOS-SA-2021-2687)	Nessus	Huawei Local Security Checks	high
152638	Debian DSA-4960-1 : haproxy - security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2021-39241

medium

Tenable Plugins

medium

medium

high

high

high

high

high

high

high

high