CVE-2022-0711

Name
CVE-2022-0711
Description
A flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header. This flaw could allow an attacker to send crafted HTTP response packets which lead to an infinite loop, eventually resulting in a denial of service condition. The highest threat from this vulnerability is availability.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Third Party Advisory https://access.redhat.com/security/cve/cve-2022-0711
Patch https://github.com/haproxy/haproxy/commit/bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8
Mailing List https://www.mail-archive.com/haproxy@formilux.org/msg41833.html
DEBIAN https://www.debian.org/security/2022/dsa-5102
https://www.mail-archive.com/haproxy%40formilux.org/msg41833.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:* haproxy >= 2.2.0 < 2.5.2
cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:* haproxy >= 2.4.0 < 2.4.13
cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:* haproxy >= 2.3.0 < 2.3.18
cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:* haproxy >= 2.2.0 < 2.2.21

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
haproxy 3.12-main 2.2.24-r0 Milan P. Stanić <mps@arvanta.net> fixed
haproxy 3.13-main 2.2.25-r0 Milan P. Stanić <mps@arvanta.net> fixed
haproxy 3.14-main 2.4.22-r0 Milan P. Stanić <mps@arvanta.net> possibly vulnerable
haproxy 3.15-main 2.4.23-r0 Milan P. Stanić <mps@arvanta.net> possibly vulnerable
haproxy 3.16-main 2.4.24-r0 Milan P. Stanić <mps@arvanta.net> possibly vulnerable