CVE-2019-19330
CRITICALHAProxy < 2.0.10 - HTTP/2 Header Injection via CR, LF, and NUL Characters
Title source: llmDescription
The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, as demonstrated by carriage return (CR, ASCII 0xd), line feed (LF, ASCII 0xa), and the zero character (NUL, ASCII 0x0), aka Intermediary Encapsulation Attacks.
References (8)
Core 8
Core References
Various Sources x_refsource_misc
https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=54f53ef7ce4102be596130b44c768d1818570344
Various Sources x_refsource_misc
https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=146f53ae7e97dbfe496d0445c2802dd0a30b0878
Various Sources x_refsource_misc
https://git.haproxy.org/?p=haproxy-2.0.git%3Ba=commit%3Bh=ac198b92d461515551b95daae20954b3053ce87e
Third Party Advisory x_refsource_misc
https://tools.ietf.org/html/rfc7540#section-10.3
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2019/dsa-4577
Mailing List, Third Party Advisory mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Nov/45
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4212-1/
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202004-01
Scores
CVSS v3
9.8
EPSS
0.0098
EPSS Percentile
77.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-74
Status
published
Products (5)
canonical/ubuntu_linux
18.04
canonical/ubuntu_linux
19.04
canonical/ubuntu_linux
19.10
debian/debian_linux
10.0
haproxy/haproxy
< 2.0.10
Published
Nov 27, 2019
Tracked Since
Feb 18, 2026