216.73.217.64

CVE-2024-7885

· Published 21/08/2024 14:15 · Modified 07/10/2024 21:15

Labels: CVE-2024-7885 2024-08-21CVE-2024-7885CWE-362NVD-CWE-noinfo[email protected]

Essential information

Published
21/08/2024 14:15
Modified
07/10/2024 21:15
Author
Creator
CVSS
7.5 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS metrics

Description

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.

NVD status

Status
Modified — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
redhat / build of apache camel - hawtio cpe:2.3:a:redhat:build_of_apache_camel_-_hawtio:-:*:*:*:*:*:*:*
redhat / build of apache camel for spring boot cpe:2.3:a:redhat:build_of_apache_camel_for_spring_boot:-:*:*:*:*:*:*:*
redhat / build of keycloak cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:*:*:*:*
redhat / data grid cpe:2.3:a:redhat:data_grid:8.0.0:*:*:*:*:*:*:*
redhat / integration camel k cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*
redhat / jboss enterprise application platform cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
redhat / jboss enterprise application platform cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*
redhat / jboss fuse cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*
redhat / process automation cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*
redhat / single sign-on cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*

References