CVE-2024-6162

HIGH 7.5

Undertow: url-encoded request path information can be broken on ajp-listener

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.

CWE	CWE-488
Published	Jun 20, 2024
Last Updated	Feb 25, 2026

Stay Ahead of the Next One

Get instant alerts for

Be the first to know when new high vulnerabilities are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

Red Hat / EAP 8.0.1

All versions affected

Red Hat / Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2

All versions affected

Red Hat / Red Hat JBoss Enterprise Application Platform Expansion Pack

All versions affected

Red Hat / Red Hat build of Apache Camel for Spring Boot 3

All versions affected

Red Hat / Red Hat build of Apache Camel - HawtIO 4

All versions affected

Red Hat / Red Hat Build of Keycloak

All versions affected

Red Hat / Red Hat Data Grid 8

All versions affected

Red Hat / Red Hat Fuse 7

All versions affected

Red Hat / Red Hat Integration Camel K 1

All versions affected

Red Hat / Red Hat JBoss Data Grid 7

All versions affected

Red Hat / Red Hat JBoss Enterprise Application Platform 7

All versions affected

Red Hat / Red Hat JBoss Enterprise Application Platform 8

All versions affected

Red Hat / Red Hat JBoss Enterprise Application Platform Expansion Pack

All versions affected

Red Hat / Red Hat Process Automation 7

All versions affected

Red Hat / Red Hat Single Sign-On 7

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

access.redhat.com: https://access.redhat.com/errata/RHSA-2024:1194 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:4386 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:4884 access.redhat.com: https://access.redhat.com/security/cve/CVE-2024-6162 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2293069 issues.redhat.com: https://issues.redhat.com/browse/JBEAP-26268 security.netapp.com: https://security.netapp.com/advisory/ntap-20241129-0009/