First published: Wed Nov 27 2019(Updated: )
The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0), aka Intermediary Encapsulation Attacks.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Haproxy Haproxy | <2.0.10 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =19.04 | |
Canonical Ubuntu Linux | =19.10 | |
Debian Debian Linux | =10.0 | |
redhat/haproxy | <2.0.10 | 2.0.10 |
redhat/haproxy | <1.8.23 | 1.8.23 |
debian/haproxy | 1.8.19-1+deb10u3 1.8.19-1+deb10u4 2.2.9-2+deb11u5 2.6.12-1 2.6.15-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-19330 is a vulnerability in the HTTP/2 implementation in HAProxy before version 2.0.10 that mishandles headers, allowing for Intermediary Encapsulation Attacks.
CVE-2019-19330 is considered critical with a severity value of 9.8.
HAProxy versions 1.8.19-1+deb10u3, 1.8.19-1+deb10u4, 2.2.9-2+deb11u5, 2.6.12-1, and 2.6.15-1 are affected by CVE-2019-19330.
To fix CVE-2019-19330, you should update HAProxy to version 2.0.10.
You can find more information about CVE-2019-19330 at the following references: [Reference 1](https://git.haproxy.org/?p=haproxy.git;a=commit;h=54f53ef7ce4102be596130b44c768d1818570344), [Reference 2](https://git.haproxy.org/?p=haproxy.git;a=commit;h=146f53ae7e97dbfe496d0445c2802dd0a30b0878), [Reference 3](https://security-tracker.debian.org/tracker/CVE-2019-19330).