Bug 1227331 (CVE-2024-37082)

Summary: VUL-0: CVE-2024-37082: haproxy: bypass of mTLS authentication to applications hosted on Cloud Foundry.
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Shapbot Shapbotson <shap-staff>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: rfrohl
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/412764/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-07-03 09:24:10 UTC 
Security check loophole in HAProxy release (in combination with routing release) in Cloud Foundry prior to v40.17.0 potentially allows bypass of mTLS authentication to applications hosted on Cloud Foundry.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-37082
https://www.cve.org/CVERecord?id=CVE-2024-37082
https://www.cloudfoundry.org/blog/cve-2024-37082-mtls-bypass/
Comment 1 Robert Frohl 2024-07-03 09:24:30 UTC 
not relevant for us, closing