CVE-2019-11323 Information

Description

HAProxy before 1.9.7 mishandles a reload with rotated keys which triggers use of uninitialized and very predictable HMAC keys. This is related to an include/types/ssl_sock.h error.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

http://git.haproxy.org/?p=haproxy.git;a=commit;h=8ef706502aa2000531d36e4ac56dbdc7c30f718d https://www.mail-archive.com/haproxy@formilux.org/msg33410.html

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

5.9