CVE-2024-49214

Public on 2024-10-14
Modified on 2024-11-21
Description
QUIC in HAProxy 3.1.x before 3.1-dev7, 3.0.x before 3.0.5, and 2.9.x before 2.9.11 allows opening a 0-RTT session with a spoofed IP address. This can bypass the IP allow/block list functionality.
Severity
Medium severity
Medium
See what this means
CVSS v3 Base Score
5.3
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 1 haproxy No Fix Planned
Amazon Linux 2023 haproxy Not Affected
Amazon Linux 2 - Haproxy2 Extra haproxy2 Not Affected

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
NVD CVSSv3 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

FAQs regarding Amazon Linux ALAS/CVE Severity Red Hat: CVE-2024-49214 Mitre: CVE-2024-49214