CX: CVE-2024-7885 in Maven-io.undertow:undertow-core and 2.0.9.Final @ JavaVulnerableLab-1.refs/heads/master

[github-actions]

Description

A vulnerability was found in Undertow where the "ProxyProtocolReadListener" reuses the same "StringBuilder" instance across multiple requests. This issue occurs when the "parseProxyProtocolV1" method processes multiple requests on the same HTTP connection. As a result, different requests may share the same "StringBuilder" instance, potentially leading to information leakage between requests or responses. Sometimes, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments. This issue affects io.undertow:undertow-core versions 2.0.0.Beta1 through 2.3.16.Final.

HIGH Vulnerable Package issue exists @ io.undertow:undertow-core in branch refs/heads/master

Vulnerability ID: CVE-2024-7885

Package Name: io.undertow:undertow-core

Severity: HIGH

CVSS Score: 7.5

Publish Date: 2024-08-21T14:15:00

Current Package Version: 2.0.9.Final

Remediation Upgrade Recommendation: 2.2.36.Final

Link To SCA

Reference – NVD link