CVE-2023-45539

NameCVE-2023-45539
DescriptionHAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3688-1, DSA-5590-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
haproxy (PTS)buster1.8.19-1+deb10u3vulnerable
buster (security)1.8.19-1+deb10u5fixed
bullseye (security), bullseye2.2.9-2+deb11u6fixed
bookworm, bookworm (security)2.6.12-1+deb12u1fixed
trixie2.9.5-1fixed
sid2.9.6-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
haproxysourcebuster1.8.19-1+deb10u5DLA-3688-1
haproxysourcebullseye2.2.9-2+deb11u6DSA-5590-1
haproxysourcebookworm2.6.12-1+deb12u1DSA-5590-1
haproxysource(unstable)2.6.15-1

Notes

https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html
https://github.com/haproxy/haproxy/commit/2eab6d354322932cfec2ed54de261e4347eca9a6 (v2.9-dev3)
https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=832b672eee54866c7a42a1d46078cc9ae0d544d9 (v2.6.15)
https://git.haproxy.org/?p=haproxy-2.2.git;a=commit;h=178cea76b1c9d9413afa6961b6a4576fcb5b26fa (v2.2.31)

Search for package or bug name: Reporting problems