CVE-2024-7885

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:redhat:build_of_apache_camel_-_hawtio:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:build_of_apache_camel_for_spring_boot:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:data_grid:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*

History

21 Nov 2024, 09:52

Type Values Removed Values Added
References
  • () https://security.netapp.com/advisory/ntap-20241011-0004/ -

07 Oct 2024, 21:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2024:7735 -
  • () https://access.redhat.com/errata/RHSA-2024:7736 -

01 Oct 2024, 11:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2024:7441 -
  • () https://access.redhat.com/errata/RHSA-2024:7442 -

19 Sep 2024, 20:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2024:6883 -

09 Sep 2024, 23:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2024:6508 -

23 Aug 2024, 17:05

Type Values Removed Values Added
CWE NVD-CWE-noinfo
First Time Redhat process Automation
Redhat single Sign-on
Redhat build Of Keycloak
Redhat build Of Apache Camel For Spring Boot
Redhat jboss Fuse
Redhat
Redhat integration Camel K
Redhat jboss Enterprise Application Platform
Redhat build Of Apache Camel - Hawtio
Redhat data Grid
References () https://access.redhat.com/security/cve/CVE-2024-7885 - () https://access.redhat.com/security/cve/CVE-2024-7885 - Vendor Advisory
References () https://bugzilla.redhat.com/show_bug.cgi?id=2305290 - () https://bugzilla.redhat.com/show_bug.cgi?id=2305290 - Issue Tracking, Vendor Advisory
CPE cpe:2.3:a:redhat:build_of_apache_camel_-_hawtio:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:data_grid:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:build_of_apache_camel_for_spring_boot:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:*:*:*:*
Summary
  • (es) Se encontró una vulnerabilidad en Undertow donde ProxyProtocolReadListener reutiliza la misma instancia de StringBuilder en múltiples solicitudes. Este problema ocurre cuando el método parseProxyProtocolV1 procesa múltiples solicitudes en la misma conexión HTTP. Como resultado, diferentes solicitudes pueden compartir la misma instancia de StringBuilder, lo que podría provocar una fuga de información entre solicitudes o respuestas. En algunos casos, un valor de una solicitud o respuesta anterior puede reutilizarse por error, lo que podría provocar una exposición no deseada de los datos. Este problema produce principalmente errores y terminación de la conexión, pero crea un riesgo de fuga de datos en entornos de solicitudes múltiples.

21 Aug 2024, 16:06

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-21 14:15

Updated : 2024-11-21 09:52


NVD link : CVE-2024-7885

Mitre link : CVE-2024-7885

CVE.ORG link : CVE-2024-7885


JSON object : View

Products Affected

redhat

  • build_of_keycloak
  • jboss_fuse
  • build_of_apache_camel_for_spring_boot
  • single_sign-on
  • build_of_apache_camel_-_hawtio
  • jboss_enterprise_application_platform
  • integration_camel_k
  • data_grid
  • process_automation
CWE
CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

NVD-CWE-noinfo