CVE-2024-7885

HIGH

Undertow < 2.2.36.Final - Information Leak via ProxyProtocolReadListener StringBuilder Reuse

Title source: llm
STIX 2.1

Description

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.

References (13)

Core 13
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:11023
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:6508
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:6883
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:7441
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:7442
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:7735
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:7736
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:8080
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:16667
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2026:0743
Vendor Advisory vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2024-7885
Issue Tracking, Vendor Advisory issue-tracking x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2305290

Scores

CVSS v3 7.5
EPSS 0.1070
EPSS Percentile 93.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-362
Status published
Products (11)
io.undertow/undertow-core 0 - 2.2.36.FinalMaven
redhat/build_of_apache_camel_-_hawtio
redhat/build_of_apache_camel_for_spring_boot
redhat/build_of_keycloak
redhat/data_grid 8.0.0
redhat/integration_camel_k
redhat/jboss_enterprise_application_platform 7.0.0
redhat/jboss_enterprise_application_platform 8.0.0
redhat/jboss_fuse 7.0.0
redhat/process_automation 7.0
... and 1 more
Published Aug 21, 2024
Tracked Since Feb 18, 2026