{"id":"CVE-2024-49214","details":"QUIC in HAProxy 3.1.x before 3.1-dev7, 3.0.x before 3.0.5, and 2.9.x before 2.9.11 allows opening a 0-RTT session with a spoofed IP address. This can bypass the IP allow/block list functionality.","aliases":["BIT-haproxy-2024-49214"],"modified":"2026-04-12T10:46:40.231542Z","published":"2024-10-14T04:15:05.853Z","related":["CGA-2354-5ppc-3wqq","openSUSE-SU-2024:14402-1"],"references":[{"type":"WEB","url":"https://www.mail-archive.com/haproxy%40formilux.org/msg45314.html"},{"type":"WEB","url":"https://www.mail-archive.com/haproxy%40formilux.org/msg45315.html"},{"type":"WEB","url":"https://www.haproxy.org/download/2.9/src/CHANGELOG"},{"type":"WEB","url":"https://www.haproxy.org/download/3.0/src/CHANGELOG"},{"type":"WEB","url":"https://www.haproxy.org/download/3.1/src/CHANGELOG"},{"type":"WEB","url":"https://www.mail-archive.com/haproxy%40formilux.org/msg45291.html"},{"type":"FIX","url":"https://github.com/haproxy/haproxy/commit/f627b9272bd8ffca6f2f898bfafc6bf0b84b7d46"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/haproxy/haproxy","events":[{"introduced":"f2b97918e80b2f4df1da751a44fe6e323c6e4b9e"},{"fixed":"a2aea9f57362aa356512764c71be3922a19097fa"},{"introduced":"5590ada4731a1f75004675680b4bdca61fa4c507"},{"fixed":"db1a7513b78822011aee2919c9483472907cf0b0"},{"introduced":"fddb8c13b6811b3b34eba0ad58d1f5fd5a3c7f60"},{"fixed":"2fb1776f5c775dd07dfd56833db06922e5b3b7e5"},{"fixed":"f627b9272bd8ffca6f2f898bfafc6bf0b84b7d46"}],"database_specific":{"versions":[{"introduced":"3.1.x"},{"fixed":"3.1-dev7"},{"introduced":"3.0.x"},{"fixed":"3.0.5"},{"introduced":"2.9.x"},{"fixed":"2.9.11"}]}}],"versions":["v2.9.0","v3.0-dev0","v3.0-dev1","v3.0-dev2","v3.0-dev3","v3.0-dev4","v3.0.0","v3.1-dev0","v3.1-dev1","v3.1-dev2","v3.1-dev3","v3.1-dev4","v3.1-dev5","v3.1-dev6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-49214.json","vanir_signatures_modified":"2026-04-12T10:46:40Z","vanir_signatures":[{"deprecated":false,"target":{"file":"src/quic_ssl.c","function":"ha_quic_add_handshake_data"},"digest":{"length":917,"function_hash":"225235977482820258306306967104298751860"},"signature_version":"v1","id":"CVE-2024-49214-1d6c8fe7","source":"https://github.com/haproxy/haproxy/commit/f627b9272bd8ffca6f2f898bfafc6bf0b84b7d46","signature_type":"Function"},{"deprecated":false,"target":{"file":"src/quic_retry.c"},"digest":{"line_hashes":["60639463892613713228718973866651959047","325590356803411478845787945888062744568","58426498032884458394495297224306221848","238473620256721977236558776683943413854","39630000062803047271044407841061129285","242778653965314509013389213031203032876","114471063736133523827427172796948290600","326222013696101232035583103706350560646","32980715653665645565245111619941388766","204806154002726765013535263481834013696"],"threshold":0.9},"signature_version":"v1","id":"CVE-2024-49214-2fa1ce40","source":"https://github.com/haproxy/haproxy/commit/f627b9272bd8ffca6f2f898bfafc6bf0b84b7d46","signature_type":"Line"},{"deprecated":false,"target":{"file":"src/quic_retry.c","function":"quic_retry_token_check"},"digest":{"length":2562,"function_hash":"286945486971677419229671980595013214347"},"signature_version":"v1","id":"CVE-2024-49214-31d02b0a","source":"https://github.com/haproxy/haproxy/commit/f627b9272bd8ffca6f2f898bfafc6bf0b84b7d46","signature_type":"Function"},{"deprecated":false,"target":{"file":"src/quic_conn.c","function":"qc_new_conn"},"digest":{"length":6026,"function_hash":"66024337377888435237615001248727510092"},"signature_version":"v1","id":"CVE-2024-49214-352e6c2e","source":"https://github.com/haproxy/haproxy/commit/f627b9272bd8ffca6f2f898bfafc6bf0b84b7d46","signature_type":"Function"},{"deprecated":false,"target":{"file":"src/quic_rx.c","function":"quic_rx_pkt_retrieve_conn"},"digest":{"length":3419,"function_hash":"216199681390215472535293240519848144236"},"signature_version":"v1","id":"CVE-2024-49214-3e4528c2","source":"https://github.com/haproxy/haproxy/commit/f627b9272bd8ffca6f2f898bfafc6bf0b84b7d46","signature_type":"Function"},{"deprecated":false,"target":{"file":"src/quic_ssl.c","function":"qc_ssl_provide_quic_data"},"digest":{"length":3257,"function_hash":"58177727618123357428576944092069678806"},"signature_version":"v1","id":"CVE-2024-49214-8faab61a","source":"https://github.com/haproxy/haproxy/commit/f627b9272bd8ffca6f2f898bfafc6bf0b84b7d46","signature_type":"Function"},{"deprecated":false,"target":{"file":"src/quic_rx.c"},"digest":{"line_hashes":["310190445547535871900436016349706824748","315417932801337672912981129003566146585","284104024998665450126904634593648672468","265149909356650253767427496670392060120","60708130288838268091261483068912512596","98347421636126788014535124355430313051","234468523922400302545863792000412506467","119543455274471613701738016432512637522","320079676702619022912924775851455466384","282629679360571040105910364011318164059","36296139333477326664890374910341066271","100570541638716738533210145764188004476"],"threshold":0.9},"signature_version":"v1","id":"CVE-2024-49214-b2908c5d","source":"https://github.com/haproxy/haproxy/commit/f627b9272bd8ffca6f2f898bfafc6bf0b84b7d46","signature_type":"Line"},{"deprecated":false,"target":{"file":"src/quic_conn.c","function":"quic_build_post_handshake_frames"},"digest":{"length":1512,"function_hash":"302239745271394033922205336450994242084"},"signature_version":"v1","id":"CVE-2024-49214-d46ea629","source":"https://github.com/haproxy/haproxy/commit/f627b9272bd8ffca6f2f898bfafc6bf0b84b7d46","signature_type":"Function"},{"deprecated":false,"target":{"file":"src/quic_conn.c"},"digest":{"line_hashes":["319381759892566369916350163157469501200","289208057323373638865448087384887595077","162174740062692275488478914695355833491","36042137288017253999825842568018932832","19112923100387226886378419794071503482","206299959034715899288558378207393103344","291886813690074856151428216000835977262","325455745741402451836039235919152181529","218360423738763101578179915623625180647","192042481477596121707809669717063283939","267938502567955701065776489847388173683","218904348723654378946434981184727509407","216783746852196367174432440659979864150","142753710763690295255028576737730404463","308385669208178805367946905747770573401","60335812892372704123418823846629082098","57764726015064287103157497247174534803","13276512711440529749581859037047577158","95742225971504328659179042291297384369","337953252649534938843959301957266713085","263704598126324377441279627358525370706","195465314514565329751932065087905295211","248440284629673481517426036024596119700","199138635368019283476750634823990314716","100507737722032897941965020034942278427","113271790097086754331504491873946907800"],"threshold":0.9},"signature_version":"v1","id":"CVE-2024-49214-d8dda7fe","source":"https://github.com/haproxy/haproxy/commit/f627b9272bd8ffca6f2f898bfafc6bf0b84b7d46","signature_type":"Line"},{"deprecated":false,"target":{"file":"src/quic_conn.c","function":"quic_conn_io_cb"},"digest":{"length":2334,"function_hash":"277015934393364593305933053889220553223"},"signature_version":"v1","id":"CVE-2024-49214-e3f3204e","source":"https://github.com/haproxy/haproxy/commit/f627b9272bd8ffca6f2f898bfafc6bf0b84b7d46","signature_type":"Function"},{"deprecated":false,"target":{"file":"src/quic_ssl.c"},"digest":{"line_hashes":["31067385120120708543521558960159162402","214644405826794400994868243369574641768","215572578451546892103944664899829684880","174626087926758349748359249384824099761","44882766511539593371066907793209397265","44987341567100532695789701617614715326","114244552958145411900713803897414711217","177351631731858997012919141391757497953","13147304806706172586597645187241871070"],"threshold":0.9},"signature_version":"v1","id":"CVE-2024-49214-e4a06845","source":"https://github.com/haproxy/haproxy/commit/f627b9272bd8ffca6f2f898bfafc6bf0b84b7d46","signature_type":"Line"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}