Undertow ProxyProtocolReadListener Vulnerability
CVE-2024-7885

7.5HIGH

Key Information:

Vendor
Red Hat
Status
Red Hat Build Of Apache Camel 3.20.7 For Spring Boot
Red Hat Build Of Apache Camel 4.4.2 For Spring Boot
Red Hat Jboss Enterprise Application Platform 7.1.0
Red Hat Jboss Enterprise Application Platform 7.4 For Rhel 8
Vendor
CVE Published:
21 August 2024

Summary

A notable vulnerability exists in the Undertow HTTP server related to the handling of multiple requests over the same HTTP connection. The issue stemmed from the misuse of a shared StringBuilder instance within the ProxyProtocolReadListener, specifically during the process of handling requests in the parseProxyProtocolV1 method. This flaw can lead to information leakage, where sensitive data from a preceding request may be inadvertently included in a subsequent response. The consequence is not only potential data exposure but also issues with connection stability, as errors may arise during processing, affecting overall application performance in environments that handle multiple requests concurrently.

References

https://access.redhat.com/errata/RHSA-2024:6508
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6883
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:7441
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank BfC for reporting this issue.
.