CVE-2024-4109: Withdrawn Advisory: undertow: information leakage via HTTP/2 request header reuse
(updated )
Withdrawn Advisory
This advisory has been withdrawn because it was determined to not be a valid vulnerability. This link is maintained to preserve external references. For more information, see https://nvd.nist.gov/vuln/detail/CVE-2024-4109.
Original Description
A flaw was found in Undertow. An HTTP request header value from a previous stream may be incorrectly reused for a request associated with a subsequent stream on the same HTTP/2 connection. This issue can potentially lead to information leakage between requests.
References
- access.redhat.com/errata/RHSA-2024:10927
- access.redhat.com/errata/RHSA-2024:10928
- access.redhat.com/errata/RHSA-2024:10929
- access.redhat.com/errata/RHSA-2024:10933
- access.redhat.com/errata/RHSA-2024:11559
- access.redhat.com/errata/RHSA-2024:11560
- access.redhat.com/errata/RHSA-2024:11570
- access.redhat.com/security/cve/CVE-2024-4109
- bugzilla.redhat.com/show_bug.cgi?id=2272325
- github.com/advisories/GHSA-22c5-cpvr-cfvq
- github.com/undertow-io/undertow
- github.com/undertow-io/undertow/blob/6ae61c6af88d2a8341922ccd0de98926e8349543/core/src/main/java/io/undertow/protocols/http2/HpackDecoder.java
- nvd.nist.gov/vuln/detail/CVE-2024-4109
Code Behaviors & Features
Detect and mitigate CVE-2024-4109 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →