Uploaded image for project: 'RH-SSO'
  1. RH-SSO
  2. RHSSO-3117

CVE-2024-7885 undertow: Improper State Management in Proxy Protocol parsing causes information leakage [rhsso-7]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Security Tracking Issue

      Do not make this issue public.

      Flaw:

      Improper State Management in Proxy Protocol parsing causes information leakage
      https://bugzilla.redhat.com/show_bug.cgi?id=2305290

      A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.

      ~~~

              abstractj Bruno Oliveira da Silva
              rhn-support-mfindra Michal Findra
              Alexander Schwartz, Alex Szczuczko, Bruno Oliveira da Silva, Chess Hazlett, Denis Richtarik, Douglas Palmer (Inactive), Jon Koops, Marek Posolda, Paramvir Jindal, Pavel Drozd, Peter Skopek, Petr Holasek, Ricardo Martin Camarero, Rob Waters, Stian Thorgersen, Václav Muzikář
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: