CVE-2024-6162

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-6162

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

A

vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.

References
Link Resource
https://access.redhat.com/errata/RHSA-2024:1194
https://access.redhat.com/errata/RHSA-2024:4386
https://access.redhat.com/errata/RHSA-2024:4884
https://access.redhat.com/security/cve/CVE-2024-6162
https://bugzilla.redhat.com/show_bug.cgi?id=2293069
https://issues.redhat.com/browse/JBEAP-26268
https://access.redhat.com/errata/RHSA-2024:4884
https://access.redhat.com/security/cve/CVE-2024-6162
https://bugzilla.redhat.com/show_bug.cgi?id=2293069
https://security.netapp.com/advisory/ntap-20241129-0009/
Configurations

No configuration.

History

25 Feb 2026, 21:16

Type Values Removed Values Added
CWE CWE-400 CWE-488

29 Nov 2024, 12:15

Type Values Removed Values Added
References
  • () https://security.netapp.com/advisory/ntap-20241129-0009/ -

21 Nov 2024, 09:49

Type Values Removed Values Added
References () https://access.redhat.com/errata/RHSA-2024:4884 - () https://access.redhat.com/errata/RHSA-2024:4884 -
References () https://access.redhat.com/security/cve/CVE-2024-6162 - () https://access.redhat.com/security/cve/CVE-2024-6162 -
References () https://bugzilla.redhat.com/show_bug.cgi?id=2293069 - () https://bugzilla.redhat.com/show_bug.cgi?id=2293069 -

09 Sep 2024, 18:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2024:1194 -
  • () https://access.redhat.com/errata/RHSA-2024:4386 -

05 Aug 2024, 15:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2024:4884 -
  • () https://issues.redhat.com/browse/JBEAP-26268 -
Summary
  • (es) Se encontró una vulnerabilidad en Undertow. La información de la ruta de solicitud codificada en URL se puede romper para solicitudes simultáneas en ajp-listener, lo que provoca que se procese la ruta incorrecta y resulte en una posible denegación de servicio.
Summary (en) A vulnerability was found in Undertow. URL-encoded request path information can be broken for concurrent requests on ajp-listener, causing the wrong path to be processed and resulting in a possible denial of service. (en) A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.

20 Jun 2024, 15:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-06-20 15:15

Updated : 2026-02-25 21:16

NVD link : CVE-2024-6162

Mitre link : CVE-2024-6162

CVE.ORG link : CVE-2024-6162

JSON object : View

Products Affected

No product.

CWE
CWE-488

Exposure of Data Element to Wrong Session