Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-9442-gm4v-r222] Undertow's url-encoded request path information can be broken on ajp-listener #4913

Merged
merged 3 commits into from
Oct 17, 2024
Merged

[GHSA-9442-gm4v-r222] Undertow's url-encoded request path information can be broken on ajp-listener #4913

merged 3 commits into from
Oct 17, 2024

Conversation

fawind
Copy link

@fawind fawind commented Oct 17, 2024

@github-actions github-actions bot changed the base branch from main to fawind/advisory-improvement-4913 October 17, 2024 10:31
fawind
fawind commented Oct 17, 2024
View reviewed changes
advisories/github-reviewed/2024/06/GHSA-9442-gm4v-r222/GHSA-9442-gm4v-r222.json
"published": "2024-06-20T15:31:19Z",
"aliases": [
"CVE-2024-6162"
],
"summary": "Undertow's url-encoded request path information can be broken on ajp-listener",
"details": "A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as \"404 Not Found\" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
Copy link
Author

@fawind fawind Oct 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, wasn't planning on removing the CVSS V3 score. Think the form did the change for me, given it only allows you to submit either V3 or V4 but not both?

Happy to update the PR manually if we want to preserve that info?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to worry about the missing CVSS score. We can handle it on our end.

@advisory-database advisory-database bot merged commit d81f8ed into fawind/advisory-improvement-4913 Oct 17, 2024
1 check passed
@advisory-database
Copy link
Contributor

Hi @fawind! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database bot deleted the fawind-GHSA-9442-gm4v-r222 branch October 17, 2024 14:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JonathanLEvans JonathanLEvans JonathanLEvans left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fawind @JonathanLEvans