CVE-2018-11469
MEDIUMHAProxy 1.8.0-1.8.9 - Unauthenticated Information Disclosure via Cached Authorization Header
Title source: llmDescription
Incorrect caching of responses to requests including an Authorization header in HAProxy 1.8.0 through 1.8.9 (if cache enabled) allows attackers to achieve information disclosure via an unauthenticated remote request, related to the proto_http.c check_request_for_cacheability function.
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/104347
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/3663-1/
Various Sources x_refsource_confirm
https://git.haproxy.org/?p=haproxy-1.8.git%3Ba=commit%3Bh=17514045e5d934dede62116216c1b016fe23dd06
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1436
Scores
CVSS v3
5.9
EPSS
0.0003
EPSS Percentile
8.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (2)
canonical/ubuntu_linux
18.04
haproxy/haproxy
1.8.0 - 1.8.9
Published
May 25, 2018
Tracked Since
Feb 18, 2026