CVE-2023-40225
First published: Thu Aug 10 2023(Updated: )
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Haproxy Haproxy | <=2.0.32 | |
| Haproxy Haproxy | >=2.2.0<=2.2.30 | |
| Haproxy Haproxy | >=2.4.0<=2.4.23 | |
| Haproxy Haproxy | >=2.5.0<2.6.15 | |
| Haproxy Haproxy | >=2.7.0<2.7.10 | |
| Haproxy Haproxy | >=2.8.0<2.8.2 | |
| ubuntu/haproxy | <2.0.31-0ubuntu0.2 | 2.0.31-0ubuntu0.2 |
| ubuntu/haproxy | <2.4.22-0ubuntu0.22.04.2 | 2.4.22-0ubuntu0.22.04.2 |
| ubuntu/haproxy | <2.6.9-1ubuntu1.1 | 2.6.9-1ubuntu1.1 |
| ubuntu/haproxy | <2.6.15-1ubuntu1 | 2.6.15-1ubuntu1 |
| ubuntu/haproxy | <2.6.15-1<2.6.15<2.7.10<2.8.2 | 2.6.15-1 2.6.15 2.7.10 2.8.2 |
| redhat/haproxy | <2.6.15 | 2.6.15 |
| redhat/haproxy | <2.7.10 | 2.7.10 |
| redhat/haproxy | <2.8.2 | 2.8.2 |
| debian/haproxy | 1.8.19-1+deb10u3 1.8.19-1+deb10u5 2.2.9-2+deb11u6 2.6.12-1+deb12u1 2.9.9-1 |
Remedy
frontend can reject requests with empty content-length header with the following rule http-request deny if { hdr_len(content-length) 0 }
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://cwe.mitre.org/data/definitions/436.html
- https://github.com/haproxy/haproxy/commit/6492f1f29d738457ea9f382aca54537f35f9d856
- https://github.com/haproxy/haproxy/issues/2237
- https://www.haproxy.org/download/2.6/src/CHANGELOG
- https://www.haproxy.org/download/2.7/src/CHANGELOG
- https://www.haproxy.org/download/2.8/src/CHANGELOG
- https://launchpad.net/bugs/cve/CVE-2023-40225
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2231371
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2231372
- https://github.com/haproxy/haproxy/issues/2237#issuecomment-1676113850
- https://access.redhat.com/errata/RHSA-2023:7473
- https://access.redhat.com/errata/RHSA-2023:7606
- https://access.redhat.com/errata/RHSA-2024:0200
- https://access.redhat.com/errata/RHSA-2024:0308
- https://access.redhat.com/errata/RHSA-2023:7201
- https://access.redhat.com/errata/RHSA-2024:1089
- https://access.redhat.com/errata/RHSA-2024:1142
- https://bugzilla.redhat.com/show_bug.cgi?id=2231370
- https://git.haproxy.org/?p=haproxy-2.2.git;a=commit;h=e8ba5e106444fc78558f4ff26e9ce946f89216f4
- https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=d17c50010d591d1c070e1cb0567a06032d8869e9
- https://security-tracker.debian.org/tracker/CVE-2023-40225
- https://github.com/advisories/GHSA-xgq7-jp95-v2qv
- https://ubuntu.com/security/notices/USN-6294-1
- https://ubuntu.com/security/notices/USN-6294-2
- https://www.cve.org/CVERecord?id=CVE-2023-40225
- https://nvd.nist.gov/vuln/detail/CVE-2023-40225
- http://git.haproxy.org/?p=haproxy.git;a=commit;h=6492f1f29d738457ea9f382aca54537f35f9d856
- http://git.haproxy.org/?p=haproxy.git;a=commit;h=22731762d9fe2c98d9e6c3942b1568266b23c69f
- http://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=d17c50010d591d1c070e1cb0567a06032d8869e9
- http://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=e2e464018fda41758bd42d3bcd6ac623c88a110e
- http://git.haproxy.org/?p=haproxy-2.4.git;a=commit;h=ba9afd2774c03e434165475b537d0462801f49bb
- http://git.haproxy.org/?p=haproxy-2.4.git;a=commit;h=c48acd15011dc6c66977bc088065693f430821df
- http://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=4b400110a58da1aa58d58d6371875a3a64c0cff6
- http://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=a90ecde20e53bb26a677b42f53db42900097af9a
- https://ubuntu.com/security/CVE-2023-40225
Frequently Asked Questions
What is the severity of CVE-2023-40225?
The severity of CVE-2023-40225 is high, with a severity value of 7.2.
How does CVE-2023-40225 affect HAProxy?
CVE-2023-40225 affects HAProxy versions through 2.0.32, 2.1.x, 2.2.x, 2.3.x, 2.4.x, 2.5.x, 2.6.x, 2.7.x, 2.8.x, and 2.9.x.
What is the remedy for CVE-2023-40225?
The remedy for CVE-2023-40225 is to upgrade to HAProxy version 2.6.15 or higher.
Where can I find more information about CVE-2023-40225?
You can find more information about CVE-2023-40225 at the following references: [link1](https://cwe.mitre.org/data/definitions/436.html), [link2](https://github.com/haproxy/haproxy/commit/6492f1f29d738457ea9f382aca54537f35f9d856), [link3](https://github.com/haproxy/haproxy/issues/2237).
What is the CWE ID of CVE-2023-40225?
The CWE ID of CVE-2023-40225 is CWE-444.
- collector/nvd-api
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/severity
- agent/author
- agent/weakness
- agent/description
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/event
- collector/usn-cve
- source/Ubuntu
- agent/remedy
- agent/references
- agent/tags
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-40225
- agent/last-modified-date
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- vendor/haproxy
- canonical/haproxy haproxy
- version/haproxy haproxy/2.0.32
- version/haproxy haproxy/2.2.0
- version/haproxy haproxy/2.2.30
- version/haproxy haproxy/2.4.0
- version/haproxy haproxy/2.4.23
- version/haproxy haproxy/2.5.0
- version/haproxy haproxy/2.7.0
- version/haproxy haproxy/2.8.0
- package-manager/ubuntu
- package-manager/redhat
- package-manager/debian