A vulnerability was found in Undertow where the "ProxyProtocolReadListener" reuses the same "StringBuilder" instance across multiple requests. This issue occurs when the "parseProxyProtocolV1" method processes multiple requests on the same HTTP connection. As a result, different requests may share the same "StringBuilder" instance, potentially leading to information leakage between requests or responses. Sometimes, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments. This issue affects io.undertow:undertow-core versions 2.0.0.Beta1 through 2.3.16.Final.
HIGH Vulnerable Package issue exists @ io.undertow:undertow-core in branch refs/heads/master
Description
A vulnerability was found in Undertow where the "ProxyProtocolReadListener" reuses the same "StringBuilder" instance across multiple requests. This issue occurs when the "parseProxyProtocolV1" method processes multiple requests on the same HTTP connection. As a result, different requests may share the same "StringBuilder" instance, potentially leading to information leakage between requests or responses. Sometimes, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments. This issue affects io.undertow:undertow-core versions 2.0.0.Beta1 through 2.3.16.Final.
HIGH Vulnerable Package issue exists @ io.undertow:undertow-core in branch refs/heads/master
Vulnerability ID: CVE-2024-7885
Package Name: io.undertow:undertow-core
Severity: HIGH
CVSS Score: 7.5
Publish Date: 2024-08-21T14:15:00
Current Package Version: 2.0.9.Final
Remediation Upgrade Recommendation: 2.2.36.Final
Link To SCA
Reference – NVD link