CVE-2024-6162

HIGH

Undertow 2.3.0.Alpha1-2.3.13.Final - Denial of Service via Concurrent AJP Request Path Decoding

Title source: llm
STIX 2.1

Description

A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.

References (7)

Core 7
Core References
Issue Tracking issue-tracking x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2293069
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:1194
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:4386
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:4884
Vendor Advisory vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2024-6162

Scores

CVSS v3 7.5
EPSS 0.0202
EPSS Percentile 84.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-488
Status published
Products (15)
io.undertow/undertow-core 2.3.0.Alpha1 - 2.3.14.FinalMaven
Red Hat/EAP 8.0.1
Red Hat/Red Hat build of Apache Camel - HawtIO 4
Red Hat/Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2
Red Hat/Red Hat build of Apache Camel for Spring Boot 3
Red Hat/Red Hat Build of Keycloak
Red Hat/Red Hat Data Grid 8
Red Hat/Red Hat Fuse 7
Red Hat/Red Hat Integration Camel K 1
Red Hat/Red Hat JBoss Data Grid 7
... and 5 more
Published Jun 20, 2024
Tracked Since Feb 18, 2026