CVE-2024-7885

CVSS V2 None CVSS V3 None

Description

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.

Overview

CVE ID
CVE-2024-7885

Assigner
redhat

Vulnerability Status
PUBLISHED

Published Version
2024-08-21T14:13:36.579Z

Last Modified Date
2024-08-21T15:21:42.735Z

Weakness Enumerations

CWE	URL
CWE-362	http://cwe.mitre.org/data/definitions/362.html

References

Reference URL	Reference Tags
https://access.redhat.com/security/cve/CVE-2024-7885	vdb-entry x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2305290	issue-tracking x_refsource_REDHAT

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-7885
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7885

History

Created	Old Value	New Value	Data Type	Notes
2024-08-22 13:09:40				Added to TrackCVE