CVE-2019-19330
First published: Wed Nov 27 2019(Updated: )
The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0), aka Intermediary Encapsulation Attacks.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Haproxy Haproxy | <2.0.10 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =19.04 | |
| Canonical Ubuntu Linux | =19.10 | |
| Debian Debian Linux | =10.0 | |
| redhat/haproxy | <2.0.10 | 2.0.10 |
| redhat/haproxy | <1.8.23 | 1.8.23 |
| debian/haproxy | 1.8.19-1+deb10u3 1.8.19-1+deb10u4 2.2.9-2+deb11u5 2.6.12-1 2.6.15-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d461515551b95daae20954b3053ce87e
- https://git.haproxy.org/?p=haproxy.git;a=commit;h=146f53ae7e97dbfe496d0445c2802dd0a30b0878
- https://git.haproxy.org/?p=haproxy.git;a=commit;h=54f53ef7ce4102be596130b44c768d1818570344
- https://seclists.org/bugtraq/2019/Nov/45
- https://security.gentoo.org/glsa/202004-01
- https://tools.ietf.org/html/rfc7540#section-10.3
- https://usn.ubuntu.com/4212-1/
- https://www.debian.org/security/2019/dsa-4577
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1777585
- http://git.haproxy.org/?p=haproxy-1.8.git;a=commitdiff;h=b8d65bb1f52849665ef6f21d90ec5fc3b7c00bc6
- http://git.haproxy.org/?p=haproxy-1.8.git;a=commitdiff;h=4b37de078bfa850ea3d08d02e23b912fd5f8c168
- https://access.redhat.com/errata/RHSA-2020:1287
- https://access.redhat.com/security/cve/cve-2019-19330
- https://access.redhat.com/errata/RHSA-2020:1725
- https://access.redhat.com/errata/RHSA-2020:1936
- https://access.redhat.com/errata/RHSA-2020:2265
- https://bugzilla.redhat.com/show_bug.cgi?id=1777584
- https://security-tracker.debian.org/tracker/CVE-2019-19330
Frequently Asked Questions
What is CVE-2019-19330?
CVE-2019-19330 is a vulnerability in the HTTP/2 implementation in HAProxy before version 2.0.10 that mishandles headers, allowing for Intermediary Encapsulation Attacks.
How severe is CVE-2019-19330?
CVE-2019-19330 is considered critical with a severity value of 9.8.
Which versions of HAProxy are affected by CVE-2019-19330?
HAProxy versions 1.8.19-1+deb10u3, 1.8.19-1+deb10u4, 2.2.9-2+deb11u5, 2.6.12-1, and 2.6.15-1 are affected by CVE-2019-19330.
How can I fix CVE-2019-19330?
To fix CVE-2019-19330, you should update HAProxy to version 2.0.10.
Where can I find more information about CVE-2019-19330?
You can find more information about CVE-2019-19330 at the following references: [Reference 1](https://git.haproxy.org/?p=haproxy.git;a=commit;h=54f53ef7ce4102be596130b44c768d1818570344), [Reference 2](https://git.haproxy.org/?p=haproxy.git;a=commit;h=146f53ae7e97dbfe496d0445c2802dd0a30b0878), [Reference 3](https://security-tracker.debian.org/tracker/CVE-2019-19330).
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-19330
- agent/software-canonical-lookup
- collector/security-tracker-debian
- vendor/haproxy
- canonical/haproxy haproxy
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/19.04
- version/canonical ubuntu linux/19.10
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- package-manager/redhat
- package-manager/debian