Search for vulnerabilities
Vulnerability details: VCID-rxhq-kb4n-w3ap
Vulnerability ID VCID-rxhq-kb4n-w3ap
Aliases CVE-2023-0836
Summary An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGI_BEGIN_REQUEST record. Sensitive data may be disclosed to configured FastCGI backends in an unexpected way.
Status Published
Exploitability 0.5
Weighted Severity 6.8
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-459 Incomplete Cleanup
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-0836.json
epss 5e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-0836
epss 5e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-0836
epss 5e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-0836
epss 5e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-0836
epss 5e-05 https://api.first.org/data/v1/epss?cve=CVE-2023-0836
cvssv3.1 5.9 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 7.5 https://git.haproxy.org/?p=haproxy.git%3Ba=commitdiff%3Bh=2e6bf0a
ssvc Track https://git.haproxy.org/?p=haproxy.git%3Ba=commitdiff%3Bh=2e6bf0a
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2023-0836
cvssv3.1 7.5 https://www.debian.org/security/2023/dsa-5388
ssvc Track https://www.debian.org/security/2023/dsa-5388
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-0836.json
https://api.first.org/data/v1/epss?cve=CVE-2023-0836
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0836
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
2180746 https://bugzilla.redhat.com/show_bug.cgi?id=2180746
cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.1.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:haproxy:haproxy:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.3.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:haproxy:haproxy:2.3.0:*:*:*:*:*:*:*
cpe:2.3:a:haproxy:haproxy:2.7.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:haproxy:haproxy:2.7.0:*:*:*:*:*:*:*
CVE-2023-0836 https://nvd.nist.gov/vuln/detail/CVE-2023-0836
dsa-5388 https://www.debian.org/security/2023/dsa-5388
?p=haproxy.git%3Ba=commitdiff%3Bh=2e6bf0a https://git.haproxy.org/?p=haproxy.git%3Ba=commitdiff%3Bh=2e6bf0a
RHSA-2023:6496 https://access.redhat.com/errata/RHSA-2023:6496
USN-5994-1 https://usn.ubuntu.com/5994-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-0836.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://git.haproxy.org/?p=haproxy.git%3Ba=commitdiff%3Bh=2e6bf0a
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-18T16:41:58Z/ Found at https://git.haproxy.org/?p=haproxy.git%3Ba=commitdiff%3Bh=2e6bf0a
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-0836
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://www.debian.org/security/2023/dsa-5388
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-18T16:41:58Z/ Found at https://www.debian.org/security/2023/dsa-5388
Exploit Prediction Scoring System (EPSS)
Percentile 0.00197
EPSS Score 5e-05
Published At July 6, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:16:28.398832+00:00 Ubuntu USN Importer Import https://usn.ubuntu.com/5994-1/ 36.1.3