Vulnerability Description
HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdr_ip or other "hdr_*" functions with a negative occurrence count, allows remote attackers to cause a denial of service (negative array index usage and crash) via an HTTP header with a certain number of values, related to the MAX_HDR_HISTORY variable.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian | Debian Linux | 6.0 |
| Canonical | Ubuntu Linux | 12.04 |
| Redhat | Enterprise Linux Load Balancer | 6.0 |
| Haproxy | Haproxy | 1.4 |
Related Weaknesses (CWE)
References
- http://marc.info/?l=haproxy&m=137147915029705&w=2PatchThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1120.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1204.htmlThird Party Advisory
- http://secunia.com/advisories/54344
- http://www.debian.org/security/2013/dsa-2711Third Party Advisory
- http://www.ubuntu.com/usn/USN-1889-1Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=974259Issue Tracking
- http://marc.info/?l=haproxy&m=137147915029705&w=2PatchThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1120.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1204.htmlThird Party Advisory
- http://secunia.com/advisories/54344
- http://www.debian.org/security/2013/dsa-2711Third Party Advisory
- http://www.ubuntu.com/usn/USN-1889-1Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=974259Issue Tracking
FAQ
What is CVE-2013-2175?
CVE-2013-2175 is a vulnerability with a CVSS score of 5.0 (MEDIUM). HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdr_ip or other "hdr_*" functions with a negative occurrence count, allows remote attackers to cause a denial of service (neg...
How severe is CVE-2013-2175?
CVE-2013-2175 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-2175?
Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Canonical Ubuntu Linux, Redhat Enterprise Linux Load Balancer, Haproxy Haproxy.