Undertow ProxyProtocolReadListener Vulnerability
CVE-2024-7885

7.5HIGH

Key Information:

Status
Hawtio 4.0.0 For Red Hat Build Of Apache Camel 4
Red Hat Build Of Apache Camel 3.20.7 For Spring Boot
Red Hat Build Of Apache Camel 4.4.2 For Spring Boot
Vendor
CVE Published:
21 August 2024

What is CVE-2024-7885?

A notable vulnerability exists in the Undertow HTTP server related to the handling of multiple requests over the same HTTP connection. The issue stemmed from the misuse of a shared StringBuilder instance within the ProxyProtocolReadListener, specifically during the process of handling requests in the parseProxyProtocolV1 method. This flaw can lead to information leakage, where sensitive data from a preceding request may be inadvertently included in a subsequent response. The consequence is not only potential data exposure but also issues with connection stability, as errors may arise during processing, affecting overall application performance in environments that handle multiple requests concurrently.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://access.redhat.com/errata/RHSA-2024:11023
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6508
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6883
vendor-advisoryx_refsource_REDHAT

EPSS Score

8% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank BfC for reporting this issue.
JSON
.