vulnerability
Oracle Linux: CVE-2023-0836: ELSA-2023-6496: haproxy security and bug fix update (MODERATE)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:C/I:N/A:N) | Dec 9, 2022 | Nov 16, 2023 | Dec 3, 2025 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:C/I:N/A:N)
Published
Dec 9, 2022
Added
Nov 16, 2023
Modified
Dec 3, 2025
Description
An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGI_BEGIN_REQUEST record. Sensitive data may be disclosed to configured FastCGI backends in an unexpected way.
A flaw was found in HAProxy, which could allow a remote attacker to obtain sensitive information caused by improper initialization when encoding the FCGI_BEGIN_REQUEST record. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information and use this information to launch further attacks against the affected system.
A flaw was found in HAProxy, which could allow a remote attacker to obtain sensitive information caused by improper initialization when encoding the FCGI_BEGIN_REQUEST record. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information and use this information to launch further attacks against the affected system.
Solution
oracle-linux-upgrade-haproxy
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.