Fedora Account System
Red Hat Associate
Red Hat Customer
An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. An HTTP method name may contain a space followed by the name of a protected resource. It is possible that a server would interpret this as a request for that protected resource, such as in the "GET /admin? HTTP/1.1 /static/images HTTP/1.1" example. Reference: https://www.mail-archive.com/haproxy@formilux.org/msg41041.html Upstream patch: https://git.haproxy.org/?p=haproxy.git;a=commit;h=89265224d314a056d77d974284802c1b8a0dc97f
Created haproxy tracking bugs for this issue: Affects: fedora-all [bug 1995109]
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2021:4118 https://access.redhat.com/errata/RHSA-2021:4118
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-39241
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:5208 https://access.redhat.com/errata/RHSA-2021:5208
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2022:0024 https://access.redhat.com/errata/RHSA-2022:0024
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2022:0114 https://access.redhat.com/errata/RHSA-2022:0114