CVE-2023-45539: 
Podman vulnerability analysis and mitigation

HAProxy before version 2.8.2 contains a vulnerability (CVE-2023-45539) where it incorrectly accepts '#' as part of the URI component. The vulnerability was discovered in July 2023 and publicly disclosed in November 2023. This issue affects all HAProxy installations prior to version 2.8.2 (HAProxy Release, NVD).

The vulnerability stems from HAProxy's improper handling of URL fragments (parts following the '#' character) in URI components. When processing requests, HAProxy would pass these fragments through without proper validation or trimming. This behavior contradicts RFC9110 specifications, which clearly state that URIs should not contain fragment components. The issue particularly affects path_end rules in the configuration. The vulnerability has been assigned a CVSS v3.1 base score of 8.2 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N (NVD).

The vulnerability could allow remote attackers to obtain sensitive information through misinterpretation of path_end rules. For example, a request containing 'index.html#.png' could be incorrectly routed to a static server, potentially exposing confidential data. Such requests appear at a rate of approximately 1 per million and are typically generated by poorly written crawlers or vulnerability scanners (HAProxy Release).

The primary mitigation is to upgrade to HAProxy version 2.8.2 or later, which actively rejects requests containing URL fragments by default. For users unable to upgrade immediately, a temporary workaround is available by using the 'option accept-invalid-http-request' configuration directive, though this is not recommended for security reasons. The fix implemented in version 2.8.2 aligns with other HTTP implementations that either trim or reject such requests (HAProxy Release, Debian Advisory).