HAProxy urges users to update after HTTP request smuggling vulnerability found

ZDNet -

Users of HAProxy 2.0 and earlier versions are being urged to push through updates after a vulnerability was found that could allow “an attacker to bypass the check for a duplicate HTTP Content-Length header, permitting a request smuggling attack or a response-splitting attack.”

“Our analysis confirmed that the duplication is achieved by making use of the memory layout of HAProxy’s internal representation of an HTTP message to slip a select character from the header’s name to its value,” HAProxy explained in a blog.

“Due to the difficulty in executing such an attack, the risk is low.”

HAProxy provided a list of affected versions and fixed versions while also providing a workaround for those who are not able to update right away.

The vulnerability was announced earlier this week by researchers with JFrog, who released a report on the problem.

JFrog researchers Ori Hollander and Or Peles wrote that CVE-2021-40346 is an Integer Overflow vulnerability that

The article HAProxy urges users to update after HTTP request smuggling vulnerability found originally appeared on ZDNet.

Read More.....