PublicDateAtUSN: 2021-09-07 15:00:00 UTC
Candidate: CVE-2021-40346
CRD: 2021-09-07 15:00:00 UTC
PublicDate: 2021-09-08 17:15:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40346
 https://www.mail-archive.com/haproxy@formilux.org/msg41114.html
 https://ubuntu.com/security/notices/USN-5063-1
Description:
 An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header
 that can be exploited to perform an HTTP request smuggling attack, allowing
 an attacker to bypass all configured http-request HAProxy ACLs and possibly
 other ACLs.
Ubuntu-Description: 
Notes: 
Mitigation: 
Bugs: 
Priority: medium
Discovered-by: Ori Hollander
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]


Patches_haproxy:
upstream_haproxy: needs-triage
trusty_haproxy: ignored (out of standard support)
trusty/esm_haproxy: DNE
xenial_haproxy: ignored (out of standard support)
esm-infra/xenial_haproxy: not-affected (code not present)
bionic_haproxy: not-affected (code not present)
focal_haproxy: released (2.0.13-2ubuntu0.3)
hirsute_haproxy: released (2.2.9-1ubuntu0.2)
impish_haproxy: released (2.2.9-2ubuntu2)
jammy_haproxy: released (2.2.9-2ubuntu2)
devel_haproxy: released (2.2.9-2ubuntu2)