Vulnerability Details : CVE-2019-14243
headerv2.go in mastercactapus proxyprotocol before 0.0.2, as used in the mastercactapus caddy-proxyprotocol plugin through 0.0.2 for Caddy, allows remote attackers to cause a denial of service (webserver panic and daemon crash) via a crafted HAProxy PROXY v2 request with truncated source/destination address data.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2019-14243
- cpe:2.3:a:haproxy:proxyprotocol:*:*:*:*:*:caddy:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-14243
3.66%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 92 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-14243
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-14243
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-14243
-
https://github.com/mastercactapus/proxyprotocol/compare/ef496d7...5c4a101
Comparing ef496d7...5c4a101 · mastercactapus/proxyprotocol · GitHubThird Party Advisory
-
https://github.com/mastercactapus/proxyprotocol/issues/1
Invalid V2 PROXY data causes parsing panics/denial-of-service · Issue #1 · mastercactapus/proxyprotocol · GitHubExploit;Third Party Advisory
-
https://github.com/mastercactapus/proxyprotocol/releases/tag/v0.0.2
Release v0.0.2 · mastercactapus/proxyprotocol · GitHubRelease Notes;Third Party Advisory
-
https://github.com/mastercactapus/proxyprotocol/commit/5c4a101121fc3e868026189c7a73f7f19eef90ac
Add test and fix for malformed/truncated header · mastercactapus/proxyprotocol@5c4a101 · GitHubPatch;Third Party Advisory
-
https://github.com/mastercactapus/caddy-proxyprotocol/issues/8
Denial of service vulnerability with invalid v2 PROXY data · Issue #8 · mastercactapus/caddy-proxyprotocol · GitHubIssue Tracking;Third Party Advisory
-
https://caddy.community/t/dos-in-http-proxyprotocol-plugin/6014
DoS in http.proxyprotocol plugin - Plugins - Caddy CommunityThird Party Advisory
Jump to