CVE-2024-4109: Undertow: information leakage via http/2 request header reuse

Description

A flaw was found in Undertow. An HTTP request header value from a previous stream may be incorrectly reused for a request associated with a subsequent stream on the same HTTP/2 connection. This issue can potentially lead to information leakage between requests.

Classification

CVE ID: CVE-2024-4109

Affected Products

Vendor: Red Hat

Product: Red Hat JBoss Enterprise Application Platform 7.4.20

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.44% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://access.redhat.com/errata/RHSA-2024:10927
https://access.redhat.com/errata/RHSA-2024:10928
https://access.redhat.com/errata/RHSA-2024:10929
https://access.redhat.com/errata/RHSA-2024:10933
https://access.redhat.com/errata/RHSA-2024:11559
https://access.redhat.com/errata/RHSA-2024:11560
https://access.redhat.com/errata/RHSA-2024:11570
https://access.redhat.com/security/cve/CVE-2024-4109
https://bugzilla.redhat.com/show_bug.cgi?id=2272325

Timeline

2024-12-12 20:15:18 UTC
Github Advisory Database (Maven)

[io.undertow:undertow-core] undertow: information leakage via HTTP/2 request header reuse
2024-12-20 00:40:54 UTC
CVE

Undertow: information leakage via http/2 request header reuse