| Name | CVE-2024-53008 |
| Description | Inconsistent interpretation of HTTP requests ('HTTP Request/Response Smuggling') issue exists in HAProxy. If this vulnerability is exploited, a remote attacker may access a path that is restricted by ACL (Access Control List) set on the product. As a result, the attacker may obtain sensitive information. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| haproxy (PTS) | bullseye (security), bullseye | 2.2.9-2+deb11u6 | vulnerable |
| bookworm, bookworm (security) | 2.6.12-1+deb12u1 | vulnerable | |
| trixie | 2.9.12-1 | fixed | |
| sid | 3.0.6-3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| haproxy | source | (unstable) | 2.9.10-1 |
https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=fa8b221756076186315b6bbf17ef697ec1ef5695 (v2.6.19)
https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=94d74d24ec9c3710334ab2239b1996faab3ad01e (v2.6.19)
https://git.haproxy.org/?p=haproxy-2.8.git;a=commit;h=94d305eaffc83dff3f59f5c2a3fbeb4710efa39a (v2.8.11)
https://git.haproxy.org/?p=haproxy-2.8.git;a=commit;h=56ab17d34a32d9c15558c2c2d17b743e6d679cbd (v2.8.11)
https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=87fefebfbe3df218103502046a0871b235a48087 (v2.9.10)
https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=6748a47819c263d4631187b6f121b5344ab50d57 (v2.9.10)
https://git.haproxy.org/?p=haproxy-3.0.git;a=commit;h=47d13c68cf198467a94e85a1caa44484a1e2e75c (v3.0.3)
https://git.haproxy.org/?p=haproxy-3.0.git;a=commit;h=5ddc4004cb0c3c4ea4f4596577c85f004678e9c0 (v3.0.3)