CVE-2024-7885

CWE-362 — Race Condition9 documents7 sources

Severity

7.5HIGH

EPSS

10.7%

top 6.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Data Grid Redhat Jboss Enterprise Application Platform Redhat Jboss Fuse +2 more

Timeline

PublishedAug 21

Latest updateJul 15

Description

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could le…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

▶NVDredhat/data_grid8.0.0

▶Mavenio.undertow:undertow-core2.3.0.Alpha1 — 2.3.17.Final+1

▶Debianundertow< 2.3.18-1

▶NVDredhat/jboss_fuse7.0.0

▶NVDredhat/single_sign-on7.0

🔴Vulnerability Details

CVEList

Undertow: improper state management in proxy protocol parsing causes information leakage↗2024-08-21

▶

OSV

CVE-2024-7885: A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests↗2024-08-21

▶

OSV

Undertow vulnerable to Race Condition↗2024-08-21

▶

GHSA

Undertow vulnerable to Race Condition↗2024-08-21

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Platform (Undertow) — CVE-2024-7885↗2025-07-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: Install (Undertow) — CVE-2024-7885↗2025-01-15

▶

Red Hat

undertow: Improper State Management in Proxy Protocol parsing causes information leakage↗2024-08-07

▶

Debian

CVE-2024-7885: undertow - A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses...↗2024

▶