CVE-2024-45506

moderate-risk
Published 2024-09-04

HAProxy 2.9.x before 2.9.10, 3.0.x before 3.0.4, and 3.1.x through 3.1-dev6 allows a remote denial of service for HTTP/2 zero-copy forwarding (h2_send loop) under a certain set of conditions, as exploited in the wild in 2024.

Do I need to act?

~
1.5% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (7)

Affected Vendors

Haproxy

References (6)

Broken Link http://git.haproxy.org/?p=haproxy-3.0.git%3Ba=commitdiff%3Bh=c725db17e8416ffb3c1...
Broken Link http://git.haproxy.org/?p=haproxy-3.0.git%3Ba=commitdiff%3Bh=d636e515453320c6e12...
Product https://www.haproxy.org/
Release Notes https://www.haproxy.org/download/3.1/src/CHANGELOG
Release Notes https://www.mail-archive.com/haproxy%40formilux.org/msg45280.html
Release Notes https://www.mail-archive.com/haproxy%40formilux.org/msg45281.html
44
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 4/34 · Minimal
Exposure 14/34 · Moderate