Exposure of Data Element to Wrong Session

CVE-2024-6162

High

7.5/10

Summary

A vulnerability was found in Undertow versions through 2.2.32.Final, and 2.3.0.Alpha1 through 2.3.13.Final are vulnerable to Denial-of-Service (DoS) vulnerability. URL-encoded request path information can be broken for concurrent requests on ajp-listener, causing the wrong path to be processed and resulting in a possible Denial-of-Service (DoS) attack.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-488 - Exposure of Data Element to Wrong Session

The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.

References

Advisory
Pull request
2.3.14
2.2.33
Issue

Advisory Timeline

Published Jun 20, 2024

Exposure of Data Element to Wrong Session

CVE-2024-6162

Summary

CWE-488 - Exposure of Data Element to Wrong Session

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS