A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.
History

Thu, 12 Dec 2024 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhboac_hawtio:4 cpe:/a:redhat:rhboac_hawtio:4.0.0
References

Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
References

Mon, 07 Oct 2024 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:jboss_enterprise_application_platform:7 cpe:/a:redhat:jboss_enterprise_application_platform:7.4
cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7
cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8
cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9
References

Tue, 01 Oct 2024 11:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:jboss_enterprise_application_platform:8 cpe:/a:redhat:jboss_enterprise_application_platform:8.0
cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
References

Thu, 19 Sep 2024 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:apache_camel_spring_boot:3.20.7
References

Wed, 18 Sep 2024 07:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak:22 cpe:/a:redhat:build_keycloak:

Mon, 09 Sep 2024 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat apache Camel Spring Boot
CPEs cpe:/a:redhat:camel_spring_boot:4 cpe:/a:redhat:apache_camel_spring_boot:4.4.2
cpe:/a:redhat:camel_spring_boot:3
Vendors & Products Redhat apache Camel Spring Boot
References

Fri, 23 Aug 2024 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Apache Camel - Hawtio
Redhat build Of Apache Camel For Spring Boot
Redhat build Of Keycloak
Redhat data Grid
Redhat integration Camel K
Redhat process Automation
Redhat single Sign-on
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:redhat:build_of_apache_camel_-_hawtio:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:build_of_apache_camel_for_spring_boot:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:data_grid:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
Vendors & Products Redhat build Of Apache Camel - Hawtio
Redhat build Of Apache Camel For Spring Boot
Redhat build Of Keycloak
Redhat data Grid
Redhat integration Camel K
Redhat process Automation
Redhat single Sign-on

Wed, 21 Aug 2024 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 21 Aug 2024 14:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.
Title undertow: Improper State Management in Proxy Protocol parsing causes information leakage Undertow: improper state management in proxy protocol parsing causes information leakage
First Time appeared Redhat
Redhat build Keycloak
Redhat camel Spring Boot
Redhat integration
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jboss Enterprise Bpms Platform
Redhat jboss Fuse
Redhat jbosseapxp
Redhat quarkus
Redhat red Hat Single Sign On
Redhat rhboac Hawtio
CPEs cpe:/a:redhat:build_keycloak:22
cpe:/a:redhat:camel_spring_boot:4
cpe:/a:redhat:integration:1
cpe:/a:redhat:jboss_data_grid:7
cpe:/a:redhat:jboss_data_grid:8
cpe:/a:redhat:jboss_enterprise_application_platform:7
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jboss_enterprise_bpms_platform:7
cpe:/a:redhat:jboss_fuse:7
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:quarkus:3
cpe:/a:redhat:red_hat_single_sign_on:7
cpe:/a:redhat:rhboac_hawtio:4
Vendors & Products Redhat
Redhat build Keycloak
Redhat camel Spring Boot
Redhat integration
Redhat jboss Data Grid
Redhat jboss Enterprise Application Platform
Redhat jboss Enterprise Bpms Platform
Redhat jboss Fuse
Redhat jbosseapxp
Redhat quarkus
Redhat red Hat Single Sign On
Redhat rhboac Hawtio
References

Fri, 16 Aug 2024 23:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title undertow: Improper State Management in Proxy Protocol parsing causes information leakage
Weaknesses CWE-362
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-08-21T14:13:36.579Z

Updated: 2024-12-12T21:41:13.765Z

Reserved: 2024-08-16T15:35:47.357Z

Link: CVE-2024-7885

cve-icon Vulnrichment

Updated: 2024-10-11T22:03:18.905Z

cve-icon NVD

Status : Modified

Published: 2024-08-21T14:15:09.500

Modified: 2024-12-12T22:15:08.717

Link: CVE-2024-7885

cve-icon Redhat

Severity : Important

Publid Date: 2024-08-07T00:00:00Z

Links: CVE-2024-7885 - Bugzilla