2253037 – (CVE-2023-45539) CVE-2023-45539 haproxy: untrimmed URI fragments may lead to exposure of confidential data on static servers

Bug 2253037 (CVE-2023-45539) - CVE-2023-45539 haproxy: untrimmed URI fragments may lead to exposure of confidential data on static servers

Summary: CVE-2023-45539 haproxy: untrimmed URI fragments may lead to exposure of confi...

Keywords:
Status:	NEW
Alias:	CVE-2023-45539
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2253039 2253038
Blocks:	2253036
TreeView+	depends on / blocked

Reported:	2023-12-05 18:42 UTC by Robb Gatica
Modified:	2024-03-27 20:08 UTC (History)
CC List:	10 users (show)
Fixed In Version:	haproxy 2.8.2
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:1089	0	None	None	None	2024-03-05 08:17:41 UTC
Red Hat Product Errata	RHSA-2024:1142	0	None	None	None	2024-03-05 18:15:31 UTC

Description Robb Gatica 2023-12-05 18:42:42 UTC

HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.

https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=2eab6d354322932cfec2ed54de261e4347eca9a6
https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html
https://www.mail-archive.com/haproxy%40formilux.org/msg43861.html

Comment 1 Robb Gatica 2023-12-05 18:42:58 UTC

Created haproxy tracking bugs for this issue:

Affects: fedora-all [bug 2253038]

Comment 3 Robb Gatica 2023-12-05 18:47:33 UTC

Per the HAProxy release notes:

the URL fragments (the part that follows '#') are not allowed to be sent on the wire, and their handling on the server side has long been ambiguous. Historically most servers would trim them, nowadays with stronger specification requirements most of them tend to simply reject the request as invalid. Till now we did neither of these, so they could appear at the end of the "path" sample fetch contents. It can be problematic in case path_end is used to route requests. For example, a rule doing routing "{ path_end .png .jpg }" to a static server could very well match "index.html#.png". The question of how best to proceed in this case was asked to other HTTP implementers and the consensus was clearly that this should be actively rejected, which is even specifically mandated in certain side-protocol specs. A measurement on haproxy.org shows that such requests appear at a rate of roughly 1 per million, and are either emitted by poorly written crawlers that copy-paste blocks of text, or are sent by vulnerability scanners. Thus a check was added for this corner case which is now blocked by default. In case anyone would discover that they're hosting a bogus application relying on this, this can be reverted using "option accept-invalid-http-request".

Comment 4 errata-xmlrpc 2024-03-05 08:17:40 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1089 https://access.redhat.com/errata/RHSA-2024:1089

Comment 5 errata-xmlrpc 2024-03-05 18:15:30 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1142 https://access.redhat.com/errata/RHSA-2024:1142

Note You need to log in before you can comment on or make changes to this bug.