Bug#1082854: undertow: CVE-2024-7885
Moritz Mühlenhoff
jmm at inutil.org
Fri Sep 27 13:31:11 BST 2024
Source: undertow
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for undertow.
CVE-2024-7885[0]:
| A vulnerability was found in Undertow where the
| ProxyProtocolReadListener reuses the same StringBuilder instance
| across multiple requests. This issue occurs when the
| parseProxyProtocolV1 method processes multiple requests on the same
| HTTP connection. As a result, different requests may share the same
| StringBuilder instance, potentially leading to information leakage
| between requests or responses. In some cases, a value from a
| previous request or response may be erroneously reused, which could
| lead to unintended data exposure. This issue primarily results in
| errors and connection termination but creates a risk of data leakage
| in multi-request environments.
https://bugzilla.redhat.com/show_bug.cgi?id=2305290
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-7885
https://www.cve.org/CVERecord?id=CVE-2024-7885
Please adjust the affected versions in the BTS as needed.
More information about the pkg-java-maintainers
mailing list