CVE-2018-11469 in HAProxy
Summary
by MITRE
Incorrect caching of responses to requests including an Authorization header in HAProxy 1.8.0 through 1.8.9 (if cache enabled) allows attackers to achieve information disclosure via an unauthenticated remote request, related to the proto_http.c check_request_for_cacheability function.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/17/2023
The vulnerability identified as CVE-2018-11469 represents a critical information disclosure flaw within HAProxy versions 1.8.0 through 1.8.9 that specifically affects systems utilizing HTTP caching mechanisms. This vulnerability stems from improper handling of cacheable responses that contain Authorization headers, creating a scenario where authenticated content becomes accessible to unauthenticated attackers through carefully crafted requests.
The technical root cause resides in the proto_http.c file within the check_request_for_cacheability function, which fails to properly evaluate whether requests containing Authorization headers should be cached. When HAProxy's cache is enabled, this function incorrectly determines that responses to requests bearing Authorization headers are cacheable, despite the sensitive nature of such content. This misclassification occurs because the function does not adequately consider the presence of authentication tokens in the request headers when making caching decisions.
The operational impact of this vulnerability is severe as it allows attackers to exploit the caching mechanism to obtain sensitive information without proper authentication. An attacker can construct a request that includes an Authorization header, submit it to the HAProxy instance, and subsequently retrieve cached responses that contain confidential data. This creates a persistent threat where previously authenticated sessions can be leveraged to access protected resources, effectively bypassing authentication mechanisms and compromising the confidentiality of sensitive information.
This vulnerability aligns with CWE-200, which addresses "Information Exposure," and specifically relates to CWE-522, "Insufficiently Protected Credentials," as it enables unauthorized access to authentication tokens and sensitive data. From an ATT&CK framework perspective, this vulnerability maps to T1071.004, "Application Layer Protocol: DNS," and T1567.002, "Exfiltration Over Web Service," as it enables unauthorized data access and potential exfiltration through compromised caching mechanisms.
The security implications extend beyond simple information disclosure, as this vulnerability can facilitate further attacks including privilege escalation and lateral movement within networks where HAProxy serves as a gateway or load balancer. Organizations relying on HAProxy for traffic management and security enforcement face significant risk of data breaches, especially in environments where sensitive user data, API keys, or internal system information is cached.
Mitigation strategies should prioritize immediate patching of affected HAProxy versions to 1.8.10 or later, where the caching logic has been corrected to properly handle Authorization headers. Additionally, organizations should implement proper cache configuration policies that disable caching for requests containing authentication headers, and consider deploying additional monitoring to detect anomalous caching behavior. Network segmentation and access controls should be reinforced to limit the potential impact of successful exploitation attempts, while regular security audits should verify that caching configurations properly protect sensitive data.