Vulnerability Description
An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. An HTTP method name may contain a space followed by the name of a protected resource. It is possible that a server would interpret this as a request for that protected resource, such as in the "GET /admin? HTTP/1.1 /static/images HTTP/1.1" example.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Haproxy | Haproxy | >= 2.0.0, < 2.0.24 |
| Debian | Debian Linux | 11.0 |
| Fedoraproject | Fedora | 33 |
References
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=89265224d314a056d77d974284
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://www.debian.org/security/2021/dsa-4960Third Party Advisory
- https://www.mail-archive.com/haproxy%40formilux.org/msg41041.html
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=89265224d314a056d77d974284
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://www.debian.org/security/2021/dsa-4960Third Party Advisory
- https://www.mail-archive.com/haproxy%40formilux.org/msg41041.html
FAQ
What is CVE-2021-39241?
CVE-2021-39241 is a vulnerability with a CVSS score of 5.3 (MEDIUM). An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. An HTTP method name may contain a space followed by the name of a protected resource. ...
How severe is CVE-2021-39241?
CVE-2021-39241 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-39241?
Check the references section above for vendor advisories and patch information. Affected products include: Haproxy Haproxy, Debian Debian Linux, Fedoraproject Fedora.