7.5
CVE-2024-6162
- EPSS 2.02%
- Veröffentlicht 20.06.2024 15:15:50
- Zuletzt bearbeitet 15.04.2026 00:35:42
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Undertow: url-encoded request path information can be broken on ajp-listener
A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Collection URLhttps://github.com/undertow-io/undertow
≫
Paket
undertow
Version
0
Version <
2.2.33.Final
Status
affected
Version
2.3.0.Alpha1
Version <
2.3.14
Status
affected
HerstellerRed Hat
≫
Produkt
EAP 8.0.1
Default Statusunaffected
HerstellerRed Hat
≫
Produkt
Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2
Default Statusunaffected
HerstellerRed Hat
≫
Produkt
Red Hat JBoss Enterprise Application Platform Expansion Pack
Default Statusunaffected
HerstellerRed Hat
≫
Produkt
Red Hat build of Apache Camel for Spring Boot 3
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat build of Apache Camel - HawtIO 4
Default Statusunaffected
HerstellerRed Hat
≫
Produkt
Red Hat Build of Keycloak
Default Statusunaffected
HerstellerRed Hat
≫
Produkt
Red Hat Data Grid 8
Default Statusunaffected
HerstellerRed Hat
≫
Produkt
Red Hat Fuse 7
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat Integration Camel K 1
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat JBoss Data Grid 7
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat JBoss Enterprise Application Platform 7
Default Statusunaffected
HerstellerRed Hat
≫
Produkt
Red Hat JBoss Enterprise Application Platform 8
Default Statusunaffected
HerstellerRed Hat
≫
Produkt
Red Hat JBoss Enterprise Application Platform Expansion Pack
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat Process Automation 7
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat Single Sign-On 7
Default Statusaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 2.02% | 0.835 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secalert@redhat.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-488 Exposure of Data Element to Wrong Session
The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.