CVE-2020-11100 - In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a r

CVE-2020-11100

Summary

In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution.

References

Vulnerable Configurations

cpe:2.3:a:haproxy:haproxy:1.8.0:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.0:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.1:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.1:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.2:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.2:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.3:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.3:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.4:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.4:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.5:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.5:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.6:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.6:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.7:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.7:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.8:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.8:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.9:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.9:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.10:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.10:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.11:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.11:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.12:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.12:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.13:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.13:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.14:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.14:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.15:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.15:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.16:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.16:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.17:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.17:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.18:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.18:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.19:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.19:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.20:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.20:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.21:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.8.21:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:-:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:-:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:dev0:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:dev0:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:dev1:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:dev1:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:dev10:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:dev10:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:dev11:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:dev11:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:dev2:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:dev2:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:dev3:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:dev3:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:dev4:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:dev4:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:dev5:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:dev5:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:dev6:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:dev6:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:dev7:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:dev7:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:dev8:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:dev8:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:dev9:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.0:dev9:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.1:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.1:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.2:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.2:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.3:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.3:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.4:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.4:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.5:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.5:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.6:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.6:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.7:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.7:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.8:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.8:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.9:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.9:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.10:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:1.9.10:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.4:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.4:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.5:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.5:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.6:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.6:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.7:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.7:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.8:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.8:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.9:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.9:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.10:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.10:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.11:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.11:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.12:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.12:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.13:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.13:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.14:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.14:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.15:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.15:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.16:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.16:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.17:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.17:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.18:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.18:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.19:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.19:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.20:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.20:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.21:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.21:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.22:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.22:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.23:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.23:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.24:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.24:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.25:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.0.25:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.1.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

CVSS

Base:	6.5 (as of 06-10-2022 - 20:51)
Impact:
Exploitability:

CWE

CWE-787

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	SINGLE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:S/C:P/I:P/A:P

redhat via4

advisories

bugzilla

id	1819111
title	CVE-2020-11100 haproxy: malformed HTTP/2 requests can lead to out-of-bounds writes

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 8 is installed
oval oval:com.redhat.rhba:tst:20193384074

AND
comment haproxy is earlier than 0:1.8.15-6.el8_1.1
oval oval:com.redhat.rhsa:tst:20201288001
comment haproxy is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20130868002

AND

comment haproxy-debugsource is earlier than 0:1.8.15-6.el8_1.1
oval oval:com.redhat.rhsa:tst:20201288003
comment haproxy-debugsource is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20201288004

rhsa

id	RHSA-2020:1288
released	2020-04-02
severity	Critical
title	RHSA-2020:1288: haproxy security update (Critical)

rpms

haproxy-debuginfo-0:1.8.23-3.el7
haproxy18-0:1.8.23-3.el7
haproxy-0:1.8.15-6.el8_1.1
haproxy-debuginfo-0:1.8.15-6.el8_1.1
haproxy-debugsource-0:1.8.15-6.el8_1.1
haproxy-0:1.8.15-5.el8_0.1
haproxy-debuginfo-0:1.8.15-5.el8_0.1
haproxy-debugsource-0:1.8.15-5.el8_0.1
rh-haproxy18-haproxy-0:1.8.17-1.el7.1
rh-haproxy18-haproxy-debuginfo-0:1.8.17-1.el7.1
rh-haproxy18-haproxy-syspaths-0:1.8.17-1.el7.1
haproxy-debuginfo-0:2.0.13-3.el7
haproxy-debugsource-0:2.0.13-3.el8
haproxy20-0:2.0.13-3.el7
haproxy20-0:2.0.13-3.el8
haproxy20-debuginfo-0:2.0.13-3.el8

refmap via4

confirm	https://bugzilla.redhat.com/show_bug.cgi?id=1819111 https://bugzilla.suse.com/show_bug.cgi?id=1168023 https://git.haproxy.org/?p=haproxy.git;a=commit;h=5dfc5d5cd0d2128d77253ead3acf03a421ab5b88 https://lists.debian.org/debian-security-announce/2020/msg00052.html https://www.haproxy.org/download/2.1/src/CHANGELOG https://www.mail-archive.com/haproxy@formilux.org/msg36876.html
debian	DSA-4649
fedora	FEDORA-2020-13fd8b1721 FEDORA-2020-16cd111544
gentoo	GLSA-202012-22
misc	http://packetstormsecurity.com/files/157323/haproxy-hpack-tbl.c-Out-Of-Bounds-Write.html http://www.haproxy.org
suse	openSUSE-SU-2020:0444
ubuntu	USN-4321-1

Last major update

06-10-2022 - 20:51

Published

02-04-2020 - 15:15

Last modified

06-10-2022 - 20:51