HTTP: HAProxy h1_headers_to_hdr_list Empty Header Name Access Control Bypass

This signature detects attempts to exploit a known vulnerability against HAProxy h1_headers_to_hdr_list . A successful attack can lead to security bypass.

Extended Description

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.

Affected Products

Haproxy haproxy

References

CVE: CVE-2023-25725

Short Name
HTTP:CTS:HAPXY-EMPTY-HDRNM-BYPS
Severity
Major
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
Access Bypass CVE-2023-25725 Control Empty HAProxy Header Name h1_headers_to_hdr_list
Release Date
03/30/2023
Supported Platforms

srx-branch-12.3

srx-19.3

srx-branch-19.3

vsrx3bsd-19.2

srx-branch-19.4

vsrx-19.4

mx-12.3

mx-19.4

vmx-19.4

mx-19.3

vsrx3bsd-19.4

srx-19.4

vsrx-12.3

vmx-19.3

vsrx-19.2

srx-12.3

Sigpack Version
3584
False Positive
Unknown
Vendors

Haproxy

Debian

Found a potential security threat?