Vulnerability Details CVE-2019-11323
HAProxy before 1.9.7 mishandles a reload with rotated keys, which triggers use of uninitialized, and very predictable, HMAC keys. This is related to an include/types/ssl_sock.h error.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 0.5%
CVSS Severity
CVSS v3 Score 5.9
CVSS v2 Score 4.3
References
- http://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=8ef706502aa2000531d36e4ac56dbdc7c30f718d
- https://www.mail-archive.com/haproxy%40formilux.org/msg33410.html
- http://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=8ef706502aa2000531d36e4ac56dbdc7c30f718d
- https://www.mail-archive.com/haproxy%40formilux.org/msg33410.html
Products affected by CVE-2019-11323
-
cpe:2.3:a:haproxy:haproxy:1.9.2
-
cpe:2.3:a:haproxy:haproxy:1.9.3
-
cpe:2.3:a:haproxy:haproxy:1.9.4
-
cpe:2.3:a:haproxy:haproxy:1.9.5
-
cpe:2.3:a:haproxy:haproxy:1.9.6