CVE-2024-7885

2024-08-2100:00:00

ubuntu.com

undertow

vulnerability

proxyprotocolreadlistener

stringbuilder

http

information leakage

data exposure

errors

connection termination

cve-2024-7885

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.9

Confidence

Low

EPSS

0.001

Percentile

21.9%

JSON

A vulnerability was found in Undertow where the ProxyProtocolReadListener
reuses the same StringBuilder instance across multiple requests. This issue
occurs when the parseProxyProtocolV1 method processes multiple requests on
the same HTTP connection. As a result, different requests may share the
same StringBuilder instance, potentially leading to information leakage
between requests or responses. In some cases, a value from a previous
request or response may be erroneously reused, which could lead to
unintended data exposure. This issue primarily results in errors and
connection termination but creates a risk of data leakage in multi-request
environments.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchundertow< anyUNKNOWN
ubuntu20.04noarchundertow< anyUNKNOWN
ubuntu22.04noarchundertow< anyUNKNOWN
ubuntu24.04noarchundertow< anyUNKNOWN
ubuntu16.04noarchundertow< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	undertow	< any	UNKNOWN
ubuntu	20.04	noarch	undertow	< any	UNKNOWN
ubuntu	22.04	noarch	undertow	< any	UNKNOWN
ubuntu	24.04	noarch	undertow	< any	UNKNOWN
ubuntu	16.04	noarch	undertow	< any	UNKNOWN