{"id":"BIT-haproxy-2021-40346","details":"An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs.","aliases":["CVE-2021-40346"],"modified":"2025-04-03T14:40:37.652Z","published":"2024-03-06T10:54:15.896Z","database_specific":{"cpes":["cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*"],"severity":"High"},"references":[{"type":"WEB","url":"https://git.haproxy.org/?p=haproxy.git"},{"type":"WEB","url":"https://github.com/haproxy/haproxy/commit/3b69886f7dcc3cfb3d166309018e6cfec9ce2c95"},{"type":"WEB","url":"https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflow-enables-http-smuggling/"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r284567dd7523f5823e2ce995f787ccd37b1cc4108779c50a97c79120%40%3Cdev.cloudstack.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r8a58fd7a29808e5d27ee56877745e58dc4bb041b9af94601554e2a5a%40%3Cdev.cloudstack.apache.org%3E"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A7V2IYO22LWVBGUNZWVKNTMDV4KINLFO/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MXTSBY2TEAXWZVFQM3CXHJFRONX7PEMN/"},{"type":"WEB","url":"https://www.debian.org/security/2021/dsa-4968"},{"type":"WEB","url":"https://www.mail-archive.com/haproxy%40formilux.org"},{"type":"WEB","url":"https://www.mail-archive.com/haproxy%40formilux.org/msg41114.html"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-40346"}],"affected":[{"package":{"name":"haproxy","ecosystem":"Bitnami","purl":"pkg:bitnami/haproxy"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.0.0"},{"fixed":"2.0.25"},{"introduced":"2.2.0"},{"fixed":"2.2.17"},{"introduced":"2.3.0"},{"fixed":"2.3.14"},{"introduced":"2.4.0"},{"fixed":"2.4.4"}]}],"database_specific":{"source":"https://github.com/bitnami/vulndb/tree/main/data/haproxy/BIT-haproxy-2021-40346.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}],"schema_version":"1.7.3"}