CVE-2024-7885
Undertow: improper state management in proxy protocol parsing causes information leakage
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.
| CWE | CWE-362 |
| Published | Aug 21, 2024 |
| Last Updated | Jan 19, 2026 |
Stay Ahead of the Next One
Get instant alerts for
Be the first to know when new high vulnerabilities are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
Red Hat / HawtIO 4.0.0 for Red Hat build of Apache Camel 4
All versions affected Red Hat / Red Hat build of Apache Camel 3.20.7 for Spring Boot
All versions affected Red Hat / Red Hat build of Apache Camel 4.4.2 for Spring Boot
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected Red Hat / Red Hat build of Apache Camel for Spring Boot 3
All versions affected Red Hat / Red Hat build of Apache Camel - HawtIO 4
All versions affected Red Hat / Red Hat Build of Keycloak
All versions affected Red Hat / Red Hat build of Quarkus
All versions affected Red Hat / Red Hat Data Grid 8
All versions affected Red Hat / Red Hat Fuse 7
All versions affected Red Hat / Red Hat Integration Camel K 1
All versions affected Red Hat / Red Hat JBoss Data Grid 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform Expansion Pack
All versions affected Red Hat / Red Hat Process Automation 7
All versions affected Red Hat / Red Hat Single Sign-On 7
All versions affected References
access.redhat.com: https://access.redhat.com/errata/RHSA-2024:11023 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:6508 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:6883 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:7441 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:7442 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:7735 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:7736 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:8080 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:16667 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:0743 access.redhat.com: https://access.redhat.com/security/cve/CVE-2024-7885 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2305290 security.netapp.com: https://security.netapp.com/advisory/ntap-20241011-0004/
Credits
Red Hat would like to thank BfC for reporting this issue.