{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/centos-stream8els/vex/2023/cve-2023-0056-els_os-centos-stream8els.json" } ], "tracking": { "current_release_date": "2026-04-20T15:35:13Z", "generator": { "date": "2026-04-20T15:35:13Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2023-0056-ELS_OS-CENTOS-STREAM8ELS", "initial_release_date": "2023-03-23T21:15:00Z", "revision_history": [ { "date": "2023-03-23T21:15:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-04-13T12:35:19Z", "number": "2", "summary": "Official Publication" }, { "date": "2026-04-20T15:35:13Z", "number": "3", "summary": "Update document" } ], "status": "final", "version": "3" }, "title": "Security update on CVE-2023-0056" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Community Enterprise Operating System 8", "product": { "name": "Community Enterprise Operating System 8", "product_id": "CentOS-Stream-8", "product_identification_helper": { "cpe": "cpe:2.3:o:centos:centos:8:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Community Enterprise Operating System" }, { "branches": [ { "category": "product_version", "name": "haproxy-0:1.8.27-5.el8.x86_64", "product": { "name": "haproxy-0:1.8.27-5.el8.x86_64", "product_id": "haproxy-0:1.8.27-5.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/centos/haproxy@1.8.27-5.el8?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "haproxy-0:1.8.27-5.el8.tuxcare.els1.x86_64", "product": { "name": "haproxy-0:1.8.27-5.el8.tuxcare.els1.x86_64", "product_id": "haproxy-0:1.8.27-5.el8.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/haproxy@1.8.27-5.el8.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "haproxy-0:1.8.27-5.el8.tuxcare.els1.x86_64 as a component of Community Enterprise Operating System 8", "product_id": "CentOS-Stream-8:haproxy-0:1.8.27-5.el8.tuxcare.els1.x86_64" }, "product_reference": "haproxy-0:1.8.27-5.el8.tuxcare.els1.x86_64", "relates_to_product_reference": "CentOS-Stream-8" }, { "category": "default_component_of", "full_product_name": { "name": "haproxy-0:1.8.27-5.el8.x86_64 as a component of Community Enterprise Operating System 8", "product_id": "CentOS-Stream-8:haproxy-0:1.8.27-5.el8.x86_64" }, "product_reference": "haproxy-0:1.8.27-5.el8.x86_64", "relates_to_product_reference": "CentOS-Stream-8" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-0056", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "description", "text": "An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "CentOS-Stream-8:haproxy-0:1.8.27-5.el8.tuxcare.els1.x86_64", "CentOS-Stream-8:haproxy-0:1.8.27-5.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-0056" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2023-0056", "url": "https://access.redhat.com/security/cve/CVE-2023-0056" } ], "release_date": "2023-03-23T21:15:00Z", "remediations": [ { "category": "no_fix_planned", "details": "Deprioritize: CVE-2023-0056 is a denial‑of‑service issue in HAProxy’s HTTP/2 response handling that only affects availability, with no confidentiality or integrity impact. Exploitation requires authenticated access to an OpenShift cluster to run a backend server that HAProxy will contact, rather than simply sending crafted client requests—an attack precondition that does not exist when backends are administrator‑controlled. The flaw has been fixed upstream and backported by major distributions since January 2023, further reducing residual exposure.", "product_ids": [ "CentOS-Stream-8:haproxy-0:1.8.27-5.el8.tuxcare.els1.x86_64", "CentOS-Stream-8:haproxy-0:1.8.27-5.el8.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "CentOS-Stream-8:haproxy-0:1.8.27-5.el8.tuxcare.els1.x86_64", "CentOS-Stream-8:haproxy-0:1.8.27-5.el8.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }