CVE-2013-2175

Name: CVE-2013-2175
Creator: NVD / NIST
Published: 2013-08-19T13:07:58.227+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 3.49%

Last modified Jun 16, 2026

CVE-2013-2175 is a vulnerability of currently unknown severity. HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdr_ip or other "hdr_*" functions with a negative occurrence count, allows remote attackers to cause a denial of service (negative array index usage and crash) via an HTTP header with a certain number of values, related to the MAX_HDR_HISTORY variable.. EPSS estimates a 3.49% chance of exploitation in the next 30 days.

Description

HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdr_ip or other "hdr_*" functions with a negative occurrence count, allows remote attackers to cause a denial of service (negative array index usage and crash) via an HTTP header with a certain number of values, related to the MAX_HDR_HISTORY variable.

Metrics

EPSS Probability

3.49%

87.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions	Update
Debian	Debian Linux	6.0	—
Canonical	Ubuntu Linux	12.04	—
Canonical	Ubuntu Linux	12.10	—
Canonical	Ubuntu Linux	13.04	—
Redhat	Enterprise Linux Load Balancer	6.0	—
Redhat	Enterprise Linux Load Balancer	6.4	—
Haproxy	Haproxy	1.4	—
Haproxy	Haproxy	1.4.0	—
Haproxy	Haproxy	1.4.1	—
Haproxy	Haproxy	1.4.2	—
Haproxy	Haproxy	1.4.3	—
Haproxy	Haproxy	1.4.4	—
Haproxy	Haproxy	1.4.5	—
Haproxy	Haproxy	1.4.6	—
Haproxy	Haproxy	1.4.7	—
Haproxy	Haproxy	1.4.8	—
Haproxy	Haproxy	1.4.9	—
Haproxy	Haproxy	1.4.10	—
Haproxy	Haproxy	1.4.11	—
Haproxy	Haproxy	1.4.12	—
Haproxy	Haproxy	1.4.13	—
Haproxy	Haproxy	1.4.14	—
Haproxy	Haproxy	1.4.15	—
Haproxy	Haproxy	1.4.16	—
Haproxy	Haproxy	1.4.17	—
Haproxy	Haproxy	1.4.18	—
Haproxy	Haproxy	1.4.19	—
Haproxy	Haproxy	1.4.20	—
Haproxy	Haproxy	1.4.21	—
Haproxy	Haproxy	1.4.22	—
Haproxy	Haproxy	1.4.23	—
Haproxy	Haproxy	1.5	Dev

References

http://marc.info/?l=haproxy&m=137147915029705&w=2Patch, Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-1120.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-1204.htmlThird Party Advisory
http://secunia.com/advisories/54344
http://www.debian.org/security/2013/dsa-2711Third Party Advisory
http://www.ubuntu.com/usn/USN-1889-1Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=974259Issue Tracking
http://marc.info/?l=haproxy&m=137147915029705&w=2Patch, Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-1120.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-1204.htmlThird Party Advisory
http://secunia.com/advisories/54344
http://www.debian.org/security/2013/dsa-2711Third Party Advisory
http://www.ubuntu.com/usn/USN-1889-1Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=974259Issue Tracking

Timeline

Published: Aug 19, 2013
Last Modified: Jun 16, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2013-2175?

How severe is CVE-2013-2175?

Severity scoring for CVE-2013-2175 is pending analysis. The EPSS model estimates a 3.49% probability of exploitation in the next 30 days.

How do I fix CVE-2013-2175?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2013-2175?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST