Key Information About the Vulnerability Bug ID: 2305290 CVE ID: CVE-2024-7885 Vulnerability Title: undertow: Improper State Management in Proxy Protocol parsing causes information leakage Severity: High Priority: High Status: NEW Product: Security Response Component: vulnerability OS: Linux Reported: 2024-08-16 09:09 UTC by Michal Findra Modified: 2025-11-11 08:27 UTC Summary of the Vulnerability A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments. Addressed in the Following Products and Via the Following RHSA: Red Hat build of Apache Camel 4.4.2 for Spring Boot: RHSA-2024:6508 Red Hat build of Apache Camel 3.20.7 for Spring Boot: RHSA-2024:6883 Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9: RHSA-2024:7441 Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8: RHSA-2024:7442 Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7: RHSA-2024:7735 Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8: RHSA-2024:7736 Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9: RHSA-2024:7736 HawtIO 4.0.0 for Red Hat build of Apache Camel 4: RHSA-2024:11023 Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7: RHSA-2025:16667 Red Hat JBoss Enterprise Application Platform 7: RHSA-2024:8080