Vulnerability Description
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Haproxy | Haproxy | < 2.8.2 |
Related Weaknesses (CWE)
References
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=2eab6d354322932cfec2ed54deBroken Link
- https://lists.debian.org/debian-lts-announce/2023/12/msg00010.html
- https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.htmlMailing List
- https://www.mail-archive.com/haproxy%40formilux.org/msg43861.htmlRelease Notes
- https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=2eab6d354322932cfec2ed54deBroken Link
- https://lists.debian.org/debian-lts-announce/2023/12/msg00010.html
- https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.htmlMailing List
- https://www.mail-archive.com/haproxy%40formilux.org/msg43861.htmlRelease Notes
FAQ
What is CVE-2023-45539?
CVE-2023-45539 is a vulnerability with a CVSS score of 8.2 (HIGH). HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end ru...
How severe is CVE-2023-45539?
CVE-2023-45539 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-45539?
Check the references section above for vendor advisories and patch information. Affected products include: Haproxy Haproxy.