DNA View

High Severity Vulnerability

This vulnerability has been rated as High severity. Immediate action is recommended.

CVE-2024-7885

High

Low Medium High Critical

7.5

CVSS Score

Published: Aug 21, 2024

Last Modified: Jan 19, 2026

CWE: CWE-362

Vulnerability Description

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.

CVSS Metrics

Common Vulnerability Scoring System

Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Known Affected Software

10 configuration(s) from 1 vendor(s)

build_of_apache_camel_for_spring_boot

Version:

CPE:

cpe:2.3:a:redhat:build_of_apache_camel_for_spring_boot:-:*:*:*:*:*:*:*

build_of_keycloak

Version:

CPE:

cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:*

jboss_enterprise_application_platform

Version:

8.0.0

CPE:

cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*

process_automation

Version:

7.0

CPE:

cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*

build_of_apache_camel_-_hawtio

Version:

CPE:

cpe:2.3:a:redhat:build_of_apache_camel_-_hawtio:-:*:*:*:*:*:*:*

single_sign-on

Version:

7.0

CPE:

cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*

jboss_fuse

Version:

7.0.0

CPE:

cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*

data_grid

Version:

8.0.0

CPE:

cpe:2.3:a:redhat:data_grid:8.0.0:*:*:*:*:*:*:*

jboss_enterprise_application_platform

Version:

7.0.0

CPE:

cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*

integration_camel_k

Version:

CPE:

cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*

This vulnerability affects 10 software configuration(s). Ensure you patch all affected systems.

Available Security Patches

2 patches available from vendors

View All Patches

Oracle

CPUJUL2025

Oracle Critical Patch Update Advisory - July 2025

Severity

Critical

Released

Jul 15, 2025

Restart Required

Security Update

View Details Vendor Page

Oracle

CPUJAN2025

Oracle Critical Patch Update Advisory - January 2025

Severity

Critical

Released

Jan 21, 2025

Restart Required

Security Update

View Details Vendor Page

Browse All Security Patches

References & Resources

Severity Details

7.5

out of 10.0

High

Weakness Type (CWE)

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Description: The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Exploit Likelihood: Medium
Typical Severity: High
Abstraction Level: Class