CVE-2023-45539

Publication date 4 December 2023

Last updated 26 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
haproxy	24.04 LTS noble	Not affected
	23.10 mantic	Not affected
	23.04 lunar	Fixed 2.6.9-1ubuntu1.2
	22.04 LTS jammy	Fixed 2.4.22-0ubuntu0.22.04.3
	20.04 LTS focal	Fixed 2.0.31-0ubuntu0.3
	18.04 LTS bionic	Fixed 1.8.8-1ubuntu0.13+esm2
	16.04 LTS xenial	Fixed 1.6.3-1ubuntu0.3+esm1
	14.04 LTS trusty	Ignored end of standard support

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro 30-day free trial

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
haproxy	Upstream: https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=832b672eee54866c7a42a1d46078cc9ae0d544d9 Upstream: https://git.haproxy.org/?p=haproxy-2.2.git;a=commit;h=178cea76b1c9d9413afa6961b6a4576fcb5b26fa Upstream: https://git.haproxy.org/?p=haproxy.git%3Ba=commit%3Bh=2eab6d354322932cfec2ed54de261e4347eca9a6

Severity score breakdown

Parameter	Value
Base score	8.2 · High
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	Low
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N