Bug#1077546: undertow: CVE-2024-6162
tony mancill
tmancill at debian.org
Sat Oct 11 19:42:14 BST 2025
On Mon, Jul 29, 2024 at 09:32:24PM +0200, Moritz Mühlenhoff wrote:
> Source: undertow
> X-Debbugs-CC: team at security.debian.org
> Severity: important
> Tags: security
>
> Hi,
>
> The following vulnerability was published for undertow.
>
> CVE-2024-6162[0]:
> | A vulnerability was found in Undertow. URL-encoded request path
> | information can be broken for concurrent requests on ajp-listener,
> | causing the wrong path to be processed and resulting in a possible
> | denial of service.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=2293069
Hi,
According to CVE-2024-6162 [1] and the release notes for 2.3.14 [2],
this CVE was addressed by the upload of 2.3.18 [3].
Are there any concerns with marking the bug as resolved in 2.3.18-1?
Thank you,
tony
[1] https://www.cve.org/CVERecord?id=CVE-2024-6162
[2] https://github.com/undertow-io/undertow/releases/tag/2.3.14.Final
[3] https://tracker.debian.org/news/1600935/accepted-undertow-2318-1-source-into-unstable/
More information about the pkg-java-maintainers
mailing list