CVE-2021-39242: 
HAProxy vulnerability analysis and mitigation

CVE-2021-39242 is a security vulnerability discovered in HAProxy versions 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. The vulnerability allows an attacker to control HTTP Host headers due to mishandling of mismatches between Host and authority fields (CVE Mitre, NVD).

The vulnerability stems from a mismatch handling between the HTTP Host header and the :authority field in HTTP/2 communications. The HTTP/2 specification allows the Host header and the :authority header field to differ, which creates an ambiguous situation where rules built based on the Host field might match against a different Host header field that gets dropped when forwarded to an HTTP/2 backend server (HAProxy Mail).

When exploited, this vulnerability could allow an attacker to control HTTP Host headers and potentially bypass backend selection logic. This could lead to requests being routed to unintended backend servers, potentially compromising the security of the routing infrastructure (HAProxy Mail).

Several mitigation strategies are available: 1) Disable HTTP/2 communication with servers by removing 'proto h2' from server lines, 2) Place 'http-request set-uri %[url]' at the beginning of every HTTP frontend, 3) Disable HTTP/2 processing entirely by setting 'tune.h2.max-concurrent-streams 0' in the global section, or 4) Update to patched versions: 2.2.16, 2.3.13, or 2.4.3 or later (HAProxy Mail, Fedora Update).