CVE-2022-0711
Published: 02 March 2022
Summary
CVE-2022-0711 is a high-severity Infinite Loop (CWE-835) vulnerability in Haproxy Haproxy. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A flaw was found in HAProxy's handling of HTTP responses that contain a Set-Cookie2 header. The defect, tracked as CWE-835, allows specially crafted response packets to trigger an infinite loop, resulting in a denial-of-service condition that affects availability. The vulnerability received a CVSS 3.1 base score of 7.5 and impacts HAProxy installations that process untrusted HTTP traffic.
An unauthenticated attacker with network access can send the malicious responses to trigger the loop. Because the attack requires no user interaction or credentials and can be launched remotely, it poses a direct threat to the stability of load balancers or proxies running the affected software.
Public advisories from Red Hat and Debian, together with the referenced upstream commit, document the availability of patches that correct the header-processing logic. The EPSS score for the CVE stands at 0.6648 with no indicated rise from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-15786
Vulnerability details
A flaw was found in the way HAProxy processed HTTP responses containing the "Set-Cookie2" header. This flaw could allow an attacker to send crafted HTTP response packets which lead to an infinite loop, eventually resulting in a denial of service…
more
condition. The highest threat from this vulnerability is availability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.