CVE-2024-45506

HAProxy 2.9.x before 2.9.10, 3.0.x before 3.0.4, and 3.1.x through 3.1-dev6 allows a remote denial of service for HTTP/2 zero-copy forwarding...

Basic Information

CVE State: PUBLISHED
Reserved Date: September 01, 2024
Published Date: September 04, 2024
Last Updated: March 14, 2025
Vendor: n/a
Product: n/a
Description: HAProxy 2.9.x before 2.9.10, 3.0.x before 3.0.4, and 3.1.x through 3.1-dev6 allows a remote denial of service for HTTP/2 zero-copy forwarding (h2_send loop) under a certain set of conditions, as exploited in the wild in 2024.

CVSS Scores

CVSS v3.1

7.5 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC Information

Exploitation: none
Automatable: Yes
Technical Impact: partial

Exploit Status

Exploited in the Wild: Yes (2024-09-04 00:00:00 UTC) Source

References

https://www.haproxy.org/ https://www.haproxy.org/download/3.1/src/CHANGELOG https://www.mail-archive.com/haproxy%40formilux.org/msg45281.html https://www.mail-archive.com/haproxy%40formilux.org/msg45280.html http://git.haproxy.org/?p=haproxy-3.0.git%3Ba=commitdiff%3Bh=c725db17e8416ffb3c1537aea756356228ce5e3c http://git.haproxy.org/?p=haproxy-3.0.git%3Ba=commitdiff%3Bh=d636e515453320c6e122c313c661a8ac7d387c7f

Known Exploited Vulnerability Information

Source	Added Date
CVE	2024-09-04 00:00:00 UTC

Timeline

CVE ID Reserved

September 01, 2024
CVE Published to Public

September 04, 2024
Added to KEVIntel

September 04, 2024