2318475 – (CVE-2024-49214) CVE-2024-49214 haproxy: Spoofed IP Bypass in HAProxy QUIC Listener 0-RTT Sessions

Bug 2318475 (CVE-2024-49214) - CVE-2024-49214 haproxy: Spoofed IP Bypass in HAProxy QUIC Listener 0-RTT Sessions

Summary: CVE-2024-49214 haproxy: Spoofed IP Bypass in HAProxy QUIC Listener 0-RTT Sess...

Keywords:
Status:	NEW
Alias:	CVE-2024-49214
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2318527
Blocks:
TreeView+	depends on / blocked

Reported:	2024-10-14 04:01 UTC by OSIDB Bzimport
Modified:	2024-10-14 16:15 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-10-14 04:01:32 UTC

QUIC in HAProxy 3.1.x before 3.1-dev7, 3.0.x before 3.0.5, and 2.9.x before 2.9.11 allows opening a 0-RTT session with a spoofed IP address. This can bypass the IP allow/block list functionality.

Note You need to log in before you can comment on or make changes to this bug.