CVE-2024-6162
Undertow: url-encoded request path information can be broken on ajp-listener
Severity Score
7.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Attend
*SSVC
Descriptions
A vulnerability was found in Undertow. URL-encoded request path information can be broken for concurrent requests on ajp-listener, causing the wrong path to be processed and resulting in a possible denial of service.
A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-06-19 CVE Reserved
- 2024-06-20 CVE Published
- 2025-03-25 CVE Updated
- 2025-04-02 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (6)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2024-6162 | 2024-06-20 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2293069 | 2024-06-20 | |
| https://access.redhat.com/errata/RHSA-2024:1194 | 2025-03-25 | |
| https://access.redhat.com/errata/RHSA-2024:4386 | 2025-03-25 | |
| https://access.redhat.com/errata/RHSA-2024:4884 | 2025-03-25 | |
| https://issues.redhat.com/browse/JBEAP-26268 | 2024-07-25 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Apache Camel Spring Boot Search vendor "Redhat" for product "Apache Camel Spring Boot" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Build Keycloak Search vendor "Redhat" for product "Build Keycloak" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Build Of Keycloak Search vendor "Redhat" for product "Build Of Keycloak" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Camel Spring Boot Search vendor "Redhat" for product "Camel Spring Boot" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Data Grid Search vendor "Redhat" for product "Data Grid" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Integration Search vendor "Redhat" for product "Integration" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Integration Camel K Search vendor "Redhat" for product "Integration Camel K" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Data Grid Search vendor "Redhat" for product "Jboss Data Grid" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Bpms Platform Search vendor "Redhat" for product "Jboss Enterprise Bpms Platform" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Fuse Search vendor "Redhat" for product "Jboss Fuse" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jbosseapxp Search vendor "Redhat" for product "Jbosseapxp" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Process Automation Search vendor "Redhat" for product "Process Automation" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Red Hat Single Sign On Search vendor "Redhat" for product "Red Hat Single Sign On" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Rhboac Hawtio Search vendor "Redhat" for product "Rhboac Hawtio" | * | - |
Affected
| ||||||