CVE-2019-19330 Information

Feb 14, 2021 cve

Description

The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers as demonstrated by carriage return (CR ASCII 0xd) line feed (LF ASCII 0xa) and the zero character (NUL ASCII 0x0) aka Intermediary Encapsulation Attacks.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://git.haproxy.org/?p=haproxy.git;a=commit;h=146f53ae7e97dbfe496d0445c2802dd0a30b0878 https://git.haproxy.org/?p=haproxy.git;a=commit;h=54f53ef7ce4102be596130b44c768d1818570344 https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d461515551b95daae20954b3053ce87e https://seclists.org/bugtraq/2019/Nov/45 https://security.gentoo.org/glsa/202004-01 https://tools.ietf.org/html/rfc7540section-10.3 https://usn.ubuntu.com/4212-1/ https://www.debian.org/security/2019/dsa-4577

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8

Share on: