CVE-2023-40225

HIGH Year: 2023
CVSS v3 Score
7.2
High
Weakness Type
CWE-444
View all →

Vulnerability Description

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.

Related Vulnerabilities

CVE-2021-42791

HIGH
CVSS:7.3(High)

An issue was discovered in VeridiumID VeridiumAD 2.5.3.0. The HTTP request to trigger push notifications for VeridiumAD enrolled users does not enforce proper access control. A user can trigger push n...

CWE-4442021

CVE-2023-25950

HIGH
CVSS:7.3(High)

HTTP request/response smuggling vulnerability in HAProxy version 2.7.0, and 2.6.1 to 2.6.7 allows a remote attacker to alter a legitimate user's request. As a result, the attacker may obtain sensitive...

CWE-4442023

CVE-2020-28483

HIGH
CVSS:7.1(High)

This affects all versions of package github.com/gin-gonic/gin. When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header.

CWE-4442020

CVE-2017-15643

HIGH
CVSS:7.4(High)

An active network attacker (MiTM) can achieve remote code execution on a machine that runs IKARUS Anti Virus 2.16.7. IKARUS AV for Windows uses cleartext HTTP for updates along with a CRC32 checksum a...

CWE-4442017

CVE-2020-8201

HIGH
CVSS:7.4(High)

Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, ...

CWE-4442020

CVE-2023-4639

HIGH
CVSS:7.4(High)

A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltra...

CWE-4442023