Home > Vulnerability Database > CVE-2024-7885

Mend.io Vulnerability Database

CVE-2024-7885

Good to know:

Date: August 21, 2024

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.

Language: Java

Severity Score

7.5

Related Resources (15)

Url: https://access.redhat.com/errata/RHSA-2024:7442

Url: https://access.redhat.com/errata/RHSA-2024:7441

Url: https://github.com/undertow-io/undertow/blob/182e4ca1543c52f438b0244c930dca3d8b6e68e3/core/src/main/java/io/undertow/server/protocol/proxy/ProxyProtocolReadListener.java

Url: https://bugzilla.redhat.com/show_bug.cgi?id=2305290

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-7885

Url: https://access.redhat.com/errata/RHSA-2024:6883

Url: https://github.com/undertow-io/undertow

Url: https://github.com/undertow-io/undertow/commit/80c125e09068ac52ed0a9acde266ef12f8ed7ae1

Url: https://security.netapp.com/advisory/ntap-20241011-0004/

Url: https://access.redhat.com/security/cve/CVE-2024-7885

Url: https://access.redhat.com/errata/RHSA-2024:7736

Url: https://access.redhat.com/errata/RHSA-2024:7735

Url: https://access.redhat.com/errata/RHSA-2024:6508

Url: https://github.com/undertow-io/undertow/commit/ce5182c37376982ef0abee34fce0d8c0aab0fab8

Url: https://www.mend.io/vulnerability-database/CVE-2024-7885

Severity Score

7.5

Weakness Type (CWE)

Race Conditions

CWE-362

Top Fix

Upgrade Version

Upgrade to version io.undertow:undertow-core:2.2.36.Final,2.3.17.Final

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-7885

Good to know:

Date: August 21, 2024

Language: Java

Severity Score

Related Resources (15)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?