CVE-2024-6162

Summary

A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.

Affected Software

VendorProductVersion RangeStatus
0 < 2.2.33.Finalaffected
2.3.0.Alpha1 < 2.3.14affected

Weaknesses

  • CWE-488: Exposure of Data Element to Wrong Session

Workarounds

To mitigate this issue, you can either switch to a different listener like the http-listener, or adjust the AJP listener configuration. By setting decode-url="false" on the AJP listener and configuring a separate URL decoding filter, you can prevent the path decoding errors. This adjustment ensures that each request is processed correctly without interference from concurrent requests.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References