Home > Vulnerability Database > CVE-2024-7885

Mend.io Vulnerability Database

CVE-2024-7885

Good to know:

Date: August 21, 2024

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.

Language: Java

Severity Score

7.5

Related Resources (7)

Url: https://github.com/undertow-io/undertow/blob/182e4ca1543c52f438b0244c930dca3d8b6e68e3/core/src/main/java/io/undertow/server/protocol/proxy/ProxyProtocolReadListener.java

Url: https://bugzilla.redhat.com/show_bug.cgi?id=2305290

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-7885

Url: https://access.redhat.com/security/cve/CVE-2024-7885

Url: https://github.com/undertow-io/undertow

Url: https://access.redhat.com/errata/RHSA-2024:6508

Url: https://www.mend.io/vulnerability-database/CVE-2024-7885

Severity Score

7.5

Weakness Type (CWE)

Race Conditions

CWE-362

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-7885

Good to know:

Date: August 21, 2024

Language: Java

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?