| Vulnerability Name: | CVE-2019-19330 (CCN-172250) | ||||||||||||||||||
| Assigned: | 2019-11-25 | ||||||||||||||||||
| Published: | 2019-11-25 | ||||||||||||||||||
| Updated: | 2020-08-18 | ||||||||||||||||||
| Summary: | The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0), aka Intermediary Encapsulation Attacks. | ||||||||||||||||||
| CVSS v3 Severity: | 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
6.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)
5.2 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
| ||||||||||||||||||
| CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
| ||||||||||||||||||
| Vulnerability Type: | CWE-74 CWE-20 | ||||||||||||||||||
| Vulnerability Consequences: | Other | ||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2019-19330 Source: XF Type: UNKNOWN haproxy-cve201919330-unspecified(172250) Source: CCN Type: HAProxy GIT Repository Released version 2.0.10 Source: MISC Type: Patch https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=ac198b92d461515551b95daae20954b3053ce87e Source: MISC Type: Patch https://git.haproxy.org/?p=haproxy.git;a=commit;h=146f53ae7e97dbfe496d0445c2802dd0a30b0878 Source: MISC Type: Patch https://git.haproxy.org/?p=haproxy.git;a=commit;h=54f53ef7ce4102be596130b44c768d1818570344 Source: BUGTRAQ Type: Mailing List, Third Party Advisory 20191128 [SECURITY] [DSA 4577-1] haproxy security update Source: CCN Type: Bugtraq Mailing List, Thu, 28 Nov 2019 08:20:22 +0000 [SECURITY] [DSA 4577-1] haproxy security update Source: GENTOO Type: UNKNOWN GLSA-202004-01 Source: MISC Type: Third Party Advisory https://tools.ietf.org/html/rfc7540#section-10.3 Source: UBUNTU Type: Third Party Advisory USN-4212-1 Source: DEBIAN Type: Third Party Advisory DSA-4577 Source: CCN Type: IBM Security Bulletin 6380932 (Aspera High-Speed Transfer Server) HAProxy vulnerability CVE-2019-19330 impacts IBM Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint versions prior to V4.0 | ||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration 3: Configuration RedHat 1: Configuration RedHat 2: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||
| Oval Definitions | |||||||||||||||||||
| |||||||||||||||||||
| BACK | |||||||||||||||||||