Executive Summary
Informations | |||
---|---|---|---|
Name | CVE-2023-25725 | First vendor Publication | 2023-02-14 |
Vendor | Cve | Last vendor Modification | 2025-03-20 |
Security-Database Scoring CVSS v3
Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H | |||
---|---|---|---|
Overall CVSS Score | 9.1 | ||
Base Score | 9.1 | Environmental Score | 9.1 |
impact SubScore | 5.2 | Temporal Score | 9.1 |
Exploitabality Sub Score | 3.9 | ||
Attack Vector | Network | Attack Complexity | Low |
Privileges Required | None | User Interaction | None |
Scope | Unchanged | Confidentiality Impact | None |
Integrity Impact | High | Availability Impact | High |
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : | |||
---|---|---|---|
Cvss Base Score | N/A | Attack Range | N/A |
Cvss Impact Score | N/A | Attack Complexity | N/A |
Cvss Expoit Score | N/A | Authentication | N/A |
Calculate full CVSS 2.0 Vectors scores |
Detail
HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31. |
Original Source
Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25725 |
CPE : Common Platform Enumeration
Sources (Detail)
Alert History
Date | Informations |
---|---|
2025-03-21 00:21:57 |
|
2024-11-28 14:22:45 |
|
2023-11-07 21:30:11 |
|
2023-04-07 02:19:18 |
|
2023-02-25 13:10:21 |
|
2023-02-23 17:27:16 |
|
2023-02-15 21:27:16 |
|
2023-02-15 05:27:18 |
|