What is CVE-2021-40346?

CVE-2021-40346 is a vulnerability in N/a. Published 2021-09-08.

Is CVE-2021-40346 known to be exploited?

26 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in N/a

CVE-2021-40346

An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs.

EPSS: 0.924 (99.7th percentile) — read the EPSS interpretation.

Affected products

N/a — versions n/a

Public proof-of-concept exploits

References

www.mail-archive.com/haproxy@formilux.org (x_refsource_MISC)
git.haproxy.org/ (x_refsource_MISC)
DSA-4968 (vendor-advisory, x_refsource_DEBIAN)
www.mail-archive.com/haproxy@formilux.org/msg41114.html (x_refsource_MISC)
jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflo… (x_refsource_MISC)
github.com/haproxy/haproxy/commit/3b69886f7dcc3cfb3d166309018e6cfec9ce2c95 (x_refsource_MISC)
[cloudstack-dev] 20210910 CVE-2021-40346 (haproxy 2.x) (mailing-list, x_refsource_MLIST)
[cloudstack-dev] 20210910 Re: CVE-2021-40346 (haproxy 2.x) (mailing-list, x_refsource_MLIST)
FEDORA-2021-3493f9f6ab (vendor-advisory, x_refsource_FEDORA)
FEDORA-2021-cd5ee418f6 (vendor-advisory, x_refsource_FEDORA)

Frequently asked questions

What is CVE-2021-40346?: CVE-2021-40346 is a vulnerability in N/a. Published 2021-09-08.
Is CVE-2021-40346 known to be exploited?: 26 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.