Vulnerability Description
An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead to a situation with an attacker-controlled HTTP Host header, because a mismatch between Host and authority is mishandled.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Haproxy | Haproxy | >= 2.2.0, < 2.2.16 |
| Debian | Debian Linux | 11.0 |
| Fedoraproject | Fedora | 33 |
Related Weaknesses (CWE)
References
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=b5d2b9e154d78e4075db163826
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://www.debian.org/security/2021/dsa-4960Third Party Advisory
- https://www.mail-archive.com/haproxy%40formilux.org/msg41041.html
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=b5d2b9e154d78e4075db163826
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://www.debian.org/security/2021/dsa-4960Third Party Advisory
- https://www.mail-archive.com/haproxy%40formilux.org/msg41041.html
FAQ
What is CVE-2021-39242?
CVE-2021-39242 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead to a situation with an attacker-controlled HTTP Host header, because a mismatch between Host ...
How severe is CVE-2021-39242?
CVE-2021-39242 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-39242?
Check the references section above for vendor advisories and patch information. Affected products include: Haproxy Haproxy, Debian Debian Linux, Fedoraproject Fedora.