{"id":"CVE-2022-0711","details":"A flaw was found in the way HAProxy processed HTTP responses containing the \"Set-Cookie2\" header. This flaw could allow an attacker to send crafted HTTP response packets which lead to an infinite loop, eventually resulting in a denial of service condition. The highest threat from this vulnerability is availability.","aliases":["BIT-haproxy-2022-0711"],"modified":"2026-04-09T08:35:14.263631Z","published":"2022-03-02T22:15:08.313Z","related":["SUSE-SU-2022:2277-1","openSUSE-SU-2024:11876-1"],"references":[{"type":"WEB","url":"https://www.mail-archive.com/haproxy%40formilux.org/msg41833.html"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/cve-2022-0711"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5102"},{"type":"FIX","url":"https://github.com/haproxy/haproxy/commit/bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.haproxy.org/haproxy-2.2.git","events":[{"introduced":"3a00c915fd241fc398a080a11ccac9c5c46791ce"},{"fixed":"d8e6e4b63fc323c98f9bdd6d160a20bce0d02770"}],"database_specific":{"versions":[{"introduced":"2.2.0"},{"fixed":"2.2.21"}]}},{"type":"GIT","repo":"https://git.haproxy.org/haproxy-2.3.git","events":[{"introduced":"1c0a722a83e7c45456a2b82c15889ab9ab5c4948"},{"fixed":"55c4c21958ebeb5ecb23aa404bafc5d558e4a0d7"}],"database_specific":{"versions":[{"introduced":"2.3.0"},{"fixed":"2.3.18"}]}},{"type":"GIT","repo":"https://github.com/haproxy/haproxy","events":[{"introduced":"6cbbecf09734aeb5fa8bb88f36f06a6f6d35e813"},{"fixed":"09cc669afb35fa362c9e42ab42c85f21cbdecd9d"},{"fixed":"bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8"}],"database_specific":{"versions":[{"introduced":"2.4.0"},{"fixed":"2.4.13"}]}}],"versions":["v2.2.0","v2.2.1","v2.2.10","v2.2.11","v2.2.12","v2.2.13","v2.2.14","v2.2.15","v2.2.16","v2.2.17","v2.2.18","v2.2.19","v2.2.2","v2.2.20","v2.2.3","v2.2.4","v2.2.5","v2.2.6","v2.2.7","v2.2.8","v2.2.9","v2.3.0","v2.3.1","v2.3.10","v2.3.11","v2.3.12","v2.3.13","v2.3.14","v2.3.15","v2.3.16","v2.3.17","v2.3.2","v2.3.3","v2.3.4","v2.3.5","v2.3.6","v2.3.7","v2.3.8","v2.3.9","v2.4.0","v2.5-dev0","v2.5-dev1","v2.5-dev10","v2.5-dev11","v2.5-dev12","v2.5-dev13","v2.5-dev14","v2.5-dev15","v2.5-dev2","v2.5-dev3","v2.5-dev4","v2.5-dev5","v2.5-dev6","v2.5-dev7","v2.5-dev8","v2.5-dev9","v2.5.0","v2.6-dev0","v2.6-dev1"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-0711.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}