CVE-2018-11469: Infoleak
First published: Fri May 25 2018(Updated: )
Incorrect caching of responses to requests including an Authorization header in HAProxy 1.8.0 through 1.8.9 (if cache enabled) allows attackers to achieve information disclosure via an unauthenticated remote request, related to the proto_http.c check_request_for_cacheability function.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Haproxy Haproxy | >=1.8.0<=1.8.9 | |
| Canonical Ubuntu Linux | =18.04 | |
| ubuntu/haproxy | <1.8.8-1ubuntu0.1 | 1.8.8-1ubuntu0.1 |
| redhat/haproxy | <1.8.10 | 1.8.10 |
| debian/haproxy | 1.8.19-1+deb10u3 1.8.19-1+deb10u5 2.2.9-2+deb11u6 2.6.12-1+deb12u1 2.9.4-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.haproxy.org/?p=haproxy-1.8.git;a=commit;h=17514045e5d934dede62116216c1b016fe23dd06
- https://usn.ubuntu.com/3663-1/
- http://www.securityfocus.com/bid/104347
- https://access.redhat.com/errata/RHSA-2019:1436
- https://launchpad.net/bugs/cve/CVE-2018-11469
- https://git.haproxy.org/?p=haproxy-1.8.git%3Ba=commit%3Bh=17514045e5d934dede62116216c1b016fe23dd06
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1582636
- https://github.com/openshift/origin/blob/1cdf91738ccf94ddc94cd96d0cb9907e9de89f75/images/router/haproxy/conf/haproxy-config.template
- https://access.redhat.com/security/cve/cve-2018-11469
- https://bugzilla.redhat.com/show_bug.cgi?id=1582635
- https://security-tracker.debian.org/tracker/CVE-2018-11469
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11469
- https://ubuntu.com/security/notices/USN-3663-1
- https://nvd.nist.gov/vuln/detail/CVE-2018-11469
- https://ubuntu.com/security/CVE-2018-11469
Frequently Asked Questions
What is the vulnerability ID for the incorrect caching vulnerability in HAProxy?
The vulnerability ID is CVE-2018-11469.
What is the severity rating of CVE-2018-11469?
The severity rating is 5.9 (medium).
How does CVE-2018-11469 affect HAProxy?
CVE-2018-11469 allows attackers to achieve information disclosure via an unauthenticated remote request if cache is enabled.
Which versions of HAProxy are affected by CVE-2018-11469?
HAProxy versions 1.8.0 through 1.8.9 are affected by CVE-2018-11469.
How can I fix the incorrect caching vulnerability in HAProxy?
To fix the vulnerability, update HAProxy to version 1.8.10 or higher.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/launchpad-cve
- source/Launchpad
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-11469
- collector/security-tracker-debian
- source/Debian
- collector/usn-cve
- source/Ubuntu
- vendor/haproxy
- canonical/haproxy haproxy
- version/haproxy haproxy/1.8.0
- version/haproxy haproxy/1.8.9
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/18.04
- package-manager/redhat
- package-manager/debian
- package-manager/ubuntu