CVE-2013-2175

Debian Linux - Improper Access Control

Title source: rule
STIX 2.1

Description

HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdr_ip or other "hdr_*" functions with a negative occurrence count, allows remote attackers to cause a denial of service (negative array index usage and crash) via an HTTP header with a certain number of values, related to the MAX_HDR_HISTORY variable.

References (7)

Core 7
Core References
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-1204.html
Patch, Third Party Advisory mailing-list x_refsource_mlist
http://marc.info/?l=haproxy&m=137147915029705&w=2
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/54344
Issue Tracking x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=974259
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2013/dsa-2711
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-1120.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1889-1

Scores

EPSS 0.0352
EPSS Percentile 87.8%

Details

CWE
CWE-20 CWE-284
Status published
Products (31)
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 12.10
canonical/ubuntu_linux 13.04
debian/debian_linux 6.0
haproxy/haproxy 1.4
haproxy/haproxy 1.4.0
haproxy/haproxy 1.4.1
haproxy/haproxy 1.4.2
haproxy/haproxy 1.4.3
haproxy/haproxy 1.4.4
... and 21 more
Published Aug 19, 2013
Tracked Since Feb 18, 2026