haproxy · threatengine.sh

CVE-2025-11230

>= 2.4.0 and < 2.4.30

Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JS

7.5HIGH

CVE-2024-45506

>= 2.9.0 and < 2.9.10

HAProxy 2.9.x before 2.9.10, 3.0.x before 3.0.4, and 3.1.x through 3.1-dev6 allows a remote denial of service for HTTP/2 zero-copy

7.5HIGH

CVE-2023-45539

< 2.8.2

HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or

8.2HIGH

CVE-2023-40225

<= 2.0.32

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x befor

7.2HIGH

CVE-2023-25950

>= 2.6.1 and <= 2.6.7

HTTP request/response smuggling vulnerability in HAProxy version 2.7.0, and 2.6.1 to 2.6.7 allows a remote attacker to alter a leg

7.3HIGH

CVE-2023-0836

>= 2.2.0 and < 2.2.27

An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6

7.5HIGH

CVE-2023-0056

all versions

An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow

6.5MEDIUM

CVE-2023-25725

< 2.0.31

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "r

9.1CRITICAL

CVE-2022-0711

>= 2.2.0 and < 2.2.21

A flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header. This flaw could allow an attacke

7.5HIGH

CVE-2021-40346

>= 2.0.0 and < 2.0.25

An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling

7.5HIGH

CVE-2021-39242

>= 2.2.0 and < 2.2.16

An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead to a situation with an

7.5HIGH

CVE-2021-39241

>= 2.0.0 and < 2.0.24

An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. An HTTP method n

5.3MEDIUM

CVE-2021-39240

>= 2.2.0 and < 2.2.16

An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It does not ensure that the scheme

7.5HIGH

CVE-2020-11100

>= 1.8.0 and < 2.1.4

In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbit

8.8HIGH

CVE-2019-19330

< 2.0.10

The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd), line fe

9.8CRITICAL

CVE-2019-18277

< 2.0.6

A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the "chunked" valu

7.5HIGH

CVE-2019-14243

< 0.0.2

headerv2.go in mastercactapus proxyprotocol before 0.0.2, as used in the mastercactapus caddy-proxyprotocol plugin through 0.0.2 f

7.5HIGH

CVE-2019-14241

>= 1.4 and <= 1.9.8

HAProxy through 2.0.2 allows attackers to cause a denial of service (ha_panic) via vectors related to htx_manage_client_side_cooki

7.5HIGH

CVE-2019-11323

>= 1.9.2 and < 1.9.7

HAProxy before 1.9.7 mishandles a reload with rotated keys, which triggers use of uninitialized, and very predictable, HMAC keys.

5.9MEDIUM

CVE-2018-20615

>= 1.8.0 and <= 1.8.19

An out-of-bounds read issue was discovered in the HTTP/2 protocol decoder in HAProxy 1.8.x and 1.9.x through 1.9.0 which can resul

7.5HIGH

CVE-2019-8953

< 0.59_16

The HAProxy package before 0.59_16 for pfSense has XSS via the desc (aka Description) or table_actionsaclN parameter, related to h

6.1MEDIUM

CVE-2018-20103

<= 1.8.14

An issue was discovered in dns.c in HAProxy through 1.8.14. In the case of a compressed pointer, a crafted packet can trigger infi

7.5HIGH

CVE-2018-20102

<= 1.8.14

An out-of-bounds read in dns_validate_dns_response in dns.c was discovered in HAProxy through 1.8.14. Due to a missing check when

7.5HIGH

CVE-2018-14645

<= 1.8.14

A flaw was discovered in the HPACK decoder of HAProxy, before 1.8.14, that is used for HTTP/2. An out-of-bounds read access in hpa

7.5HIGH

CVE-2018-11469

>= 1.8.0 and <= 1.8.9

Incorrect caching of responses to requests including an Authorization header in HAProxy 1.8.0 through 1.8.9 (if cache enabled) all

5.9MEDIUM

CVE-2018-10184

< 1.8.8

An issue was discovered in HAProxy before 1.8.8. The incoming H2 frame length was checked against the max_frame_size setting inste

7.5HIGH

CVE-2016-2102

all versions

HAProxy statistics in openstack-tripleo-image-elements are non-authenticated over the network.

5.3MEDIUM

CVE-2016-5360

all versions

HAproxy 1.6.x before 1.6.6, when a deny comes from a reqdeny rule, allows remote attackers to cause a denial of service (uninitial

7.5HIGH

CVE-2015-3281

all versions

The buffer_slow_realign function in HAProxy 1.5.x before 1.5.14 and 1.6-dev does not properly realign a buffer that is used for pe

CVE-2014-6269

all versions

Multiple integer overflows in the http_request_forward_body function in proto_http.c in HAProxy 1.5-dev23 before 1.5.4 allow remot

CVE-2013-2175

all versions

HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdr_ip or other "hdr_*" functions with a negative occur

CVE-2013-1912

all versions

Buffer overflow in HAProxy 1.4 through 1.4.22 and 1.5-dev through 1.5-dev17, when HTTP keep-alive is enabled, using HTTP keywords

CVE-2012-2942

<= 1.4.20

Buffer overflow in the trash buffer in the header capture functionality in HAProxy before 1.4.21, when global.tune.bufsize is set