Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2024-08258

Опубликовано: 09 нояб. 2023
Источник: fstec
CVSS3: 7.5
CVSS2: 7.8
EPSS Низкий

Описание

Уязвимость класса AjpRequestParser компонента ajp-listener веб-сервера Undertow связана с неконтролируемым расходом ресурсов в результате некорректного декодированния информации о пути запроса. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, вызвать отказ в обслуживании

Вендор

Red Hat Inc.
Oracle Corp.

Наименование ПО

Red Hat Single Sign-On
Red Hat JBoss Data Grid
Red Hat Process Automation
Red Hat Integration Camel K
Red Hat JBoss Enterprise Application Platform Expansion Pack
Red Hat build of Apache Camel for Spring Boot
undertow
Oracle Communications Cloud Native Core Certificate Management
Oracle Communications Cloud Native Core Unified Data Repository
Red Hat JBoss Enterprise Application Platform
Red Hat Fuse

Версия ПО

7 (Red Hat Single Sign-On)
7 (Red Hat JBoss Data Grid)
7 (Red Hat Process Automation)
- (Red Hat Integration Camel K)
- (Red Hat JBoss Enterprise Application Platform Expansion Pack)
- (Red Hat build of Apache Camel for Spring Boot)
от 2.3.0.Alpha1 до 2.3.14.Final (undertow)
до 2.2.33.Final (undertow)
23.4.2 (Oracle Communications Cloud Native Core Certificate Management)
24.2.0 (Oracle Communications Cloud Native Core Unified Data Repository)
8.0.1 (Red Hat JBoss Enterprise Application Platform)
4.4.1 (Red Hat build of Apache Camel for Spring Boot)
7 (Red Hat Fuse)

Тип ПО

Сетевое программное средство
Сетевое средство
Прикладное ПО информационных систем

Операционные системы и аппаратные платформы

-

Уровень опасности уязвимости

Высокий уровень опасности (базовая оценка CVSS 2.0 составляет 7,8)
Высокий уровень опасности (базовая оценка CVSS 3.0 составляет 7,5)

Возможные меры по устранению уязвимости

Использование рекомендаций:
Для Undertow:
https://github.com/undertow-io/undertow/releases/tag/2.3.14.Final
https://github.com/undertow-io/undertow/releases/tag/2.2.33.Final
https://github.com/advisories/GHSA-9442-gm4v-r222
Для программных продуктов Oracle Corp.:
https://www.oracle.com/security-alerts/cpuoct2024.html?534662
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/CVE-2024-6162

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Данные уточняются

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 83%
0.02024
Низкий

7.5 High

CVSS3

7.8 High

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2024-6162

CVSS3: 7.5
ubuntu
больше 1 года назад

A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.

redhat логотип

CVE-2024-6162

CVSS3: 7.5
redhat
больше 1 года назад

A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.

nvd логотип

CVE-2024-6162

CVSS3: 7.5
nvd
больше 1 года назад

A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.

debian логотип

CVE-2024-6162

CVSS3: 7.5
debian
больше 1 года назад

A vulnerability was found in Undertow, where URL-encoded request paths ...

github логотип

GHSA-9442-gm4v-r222

CVSS3: 7.5
github
больше 1 года назад

Undertow's url-encoded request path information can be broken on ajp-listener

EPSS

Процентиль: 83%
0.02024
Низкий

7.5 High

CVSS3

7.8 High

CVSS2