Undertow vulnerable to Race Condition
High severity
GitHub Reviewed
Published
Aug 21, 2024
to the GitHub Advisory Database
•
Updated Dec 13, 2024
Package
Affected versions
< 2.2.36.Final
>= 2.3.0.Alpha1, < 2.3.17.Final
Patched versions
2.2.36.Final
2.3.17.Final
Description
Published by the National Vulnerability Database
Aug 21, 2024
Published to the GitHub Advisory Database
Aug 21, 2024
Reviewed
Aug 21, 2024
Last updated
Dec 13, 2024
A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.
References