CVE-2019-19330

CVE Database · CVE-2019-19330

CVE-2019-19330

· CRITICALModified

CVSS v3.1

9.8

EPSS

3.92%

Published

Nov 27, 2019

Modified

Nov 21, 2024

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0), aka Intermediary Encapsulation Attacks.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-74

Affected Products (5)

haproxy · haproxy (up to 2.0.10)vulnerable

canonical · ubuntu_linuxvulnerable

debian · debian_linuxvulnerable

References (16)

https://git.haproxy.org/?p=haproxy-2.0.git%3Ba=commit%3Bh=ac198b92d461515551b95daae20954b3053ce87e

https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=146f53ae7e97dbfe496d0445c2802dd0a30b0878

https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=54f53ef7ce4102be596130b44c768d1818570344

https://seclists.org/bugtraq/2019/Nov/45

Mailing ListThird Party Advisory

https://security.gentoo.org/glsa/202004-01

https://tools.ietf.org/html/rfc7540#section-10.3

Third Party Advisory

https://usn.ubuntu.com/4212-1/

Third Party Advisory

https://www.debian.org/security/2019/dsa-4577

KEV Catalog EPSS Scores Vendors All CVEs