CVE-2024-6162 HIGH

CVE-2024-6162: Undertow: url-encoded request path information can be broken on ajp-listener

Vendor Red Hat
Product EAP 8.0.1
Weakness CWE-488
Published June 20, 2024
Last update February 25, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.

Key dates

02Disclosure timeline

June 20, 2024 CVE published
February 25, 2026 Record updated