Users of HAProxy 2.0 and earlier versions are being urged to push through updates after a vulnerability was found that could allow “an attacker to bypass the check for a duplicate HTTP Content-Length header, permitting a request smuggling attack or a response-splitting attack.”
“Our analysis confirmed that the duplication is achieved by making use of the memory layout of HAProxy’s internal representation of an HTTP message to slip a select character from the header’s name to its value,” HAProxy explained in a blog.
“Due to the difficulty in executing such an attack, the risk is low.”
HAProxy provided a list of affected versions and fixed versions while also providing a workaround for those who are not able to update right away.
The vulnerability was announced earlier this week by researchers with JFrog, who released a report on the problem.
JFrog researchers Ori Hollander and Or Peles wrote that CVE-2021-40346 is an Integer Overflow vulnerability that
The article HAProxy urges users to update after HTTP request smuggling vulnerability found originally appeared on ZDNet.