{ "threat_severity" : "Moderate", "public_date" : "2024-06-19T00:00:00Z", "bugzilla" : { "description" : "undertow: url-encoded request path information can be broken on ajp-listener", "id" : "2293069", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2293069" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-488", "details" : [ "A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as \"404 Not Found\" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.", "A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as \"404 Not Found\" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up." ], "statement" : "This issue is classified as moderate severity rather than important because it specifically affects URL-encoded request paths under concurrent access conditions, primarily through the AJP listener. While it can lead to 404 errors or application failures, it does not inherently compromise data integrity, security, or lead to direct unauthorized access. The impact is limited to incorrect handling of certain URL-encoded paths, which means it primarily disrupts access to static or encoded resources rather than posing a broader risk to the system’s overall security or functionality.", "affected_release" : [ { "product_name" : "EAP 8.0.1", "release_date" : "2024-03-06T00:00:00Z", "advisory" : "RHSA-2024:1194", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0" }, { "product_name" : "Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2", "release_date" : "2024-07-25T00:00:00Z", "advisory" : "RHSA-2024:4884", "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.4::el6", "package" : "undertow" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "release_date" : "2024-07-08T00:00:00Z", "advisory" : "RHSA-2024:4386", "cpe" : "cpe:/a:redhat:jbosseapxp" } ], "package_state" : [ { "product_name" : "Red Hat build of Apache Camel for Spring Boot 3", "fix_state" : "Will not fix", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:camel_spring_boot:3" }, { "product_name" : "Red Hat build of Apache Camel - HawtIO 4", "fix_state" : "Not affected", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4" }, { "product_name" : "Red Hat Build of Keycloak", "fix_state" : "Not affected", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:build_keycloak:" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Will not fix", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Will not fix", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Will not fix", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Affected", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Will not fix", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Will not fix", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-6162\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-6162\nhttps://issues.redhat.com/browse/JBEAP-26268" ], "name" : "CVE-2024-6162", "mitigation" : { "value" : "To mitigate this issue, you can either switch to a different listener like the http-listener, or adjust the AJP listener configuration. By setting decode-url=\"false\" on the AJP listener and configuring a separate URL decoding filter, you can prevent the path decoding errors. This adjustment ensures that each request is processed correctly without interference from concurrent requests.", "lang" : "en:us" }, "csaw" : false }