Cyber Resilience

CVE-2022-0711

HighDDoS

Published: 02 March 2022

Published
02 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.6648 98.6th percentile
Risk Priority 55 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-0711 is a high-severity Infinite Loop (CWE-835) vulnerability in Haproxy Haproxy. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A flaw was found in HAProxy's handling of HTTP responses that contain a Set-Cookie2 header. The defect, tracked as CWE-835, allows specially crafted response packets to trigger an infinite loop, resulting in a denial-of-service condition that affects availability. The vulnerability received a CVSS 3.1 base score of 7.5 and impacts HAProxy installations that process untrusted HTTP traffic.

An unauthenticated attacker with network access can send the malicious responses to trigger the loop. Because the attack requires no user interaction or credentials and can be launched remotely, it poses a direct threat to the stability of load balancers or proxies running the affected software.

Public advisories from Red Hat and Debian, together with the referenced upstream commit, document the availability of patches that correct the header-processing logic. The EPSS score for the CVE stands at 0.6648 with no indicated rise from a lower baseline.

EU & UK References

Vulnerability details

A flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header. This flaw could allow an attacker to send crafted HTTP response packets which lead to an infinite loop, eventually resulting in a denial of service…

more

condition. The highest threat from this vulnerability is availability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

haproxy
haproxy
2.2.0 — 2.2.21 · 2.3.0 — 2.3.18 · 2.4.0 — 2.4.13
redhat
openshift container platform
4.0
redhat
software collections
all versions
redhat
enterprise linux
7.0, 8.0
debian
debian linux
11.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-835

Enables transfer to alternate site if an infinite loop at the primary renders processing unavailable.

addresses: CWE-835

Detects and mitigates infinite loops that produce sustained resource consumption.

References