UBUNTU-CVE-2024-6162

Source
https://ubuntu.com/security/CVE-2024-6162
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-6162.json
JSON Data
https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2024-6162
Upstream
Published
2024-06-20T15:15:00Z
Modified
2025-09-08T16:58:55Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.

References

Affected packages

Ubuntu:22.04:LTS

undertow

Package

Name
undertow
Purl
pkg:deb/ubuntu/undertow@2.2.16-1?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.2.8-1
2.2.12-1
2.2.13-1
2.2.14-1
2.2.16-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.2.16-1",
            "binary_name": "libundertow-java"
        }
    ]
}

Ubuntu:24.04:LTS

undertow

Package

Name
undertow
Purl
pkg:deb/ubuntu/undertow@2.3.8-2?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.3.8-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.3.8-2",
            "binary_name": "libundertow-java"
        }
    ]
}

Ubuntu:25.04

undertow

Package

Name
undertow
Purl
pkg:deb/ubuntu/undertow@2.3.18-1?arch=source&distro=plucky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.3.8-2
2.3.18-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.3.18-1",
            "binary_name": "libundertow-java"
        }
    ]
}

Ubuntu:Pro:16.04:LTS

undertow

Package

Name
undertow
Purl
pkg:deb/ubuntu/undertow@1.3.16-1?arch=source&distro=esm-apps/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.3.4-1
1.3.5-1
1.3.7-1
1.3.11-1
1.3.16-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.3.16-1",
            "binary_name": "libundertow-java"
        }
    ]
}

Ubuntu:Pro:18.04:LTS

undertow

Package

Name
undertow
Purl
pkg:deb/ubuntu/undertow@1.4.23-3?arch=source&distro=esm-apps/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.4.20-1
1.4.21-1
1.4.22-1
1.4.23-1
1.4.23-2build1
1.4.23-3

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.4.23-3",
            "binary_name": "libundertow-java"
        }
    ]
}

Ubuntu:Pro:20.04:LTS

undertow

Package

Name
undertow
Purl
pkg:deb/ubuntu/undertow@2.0.29-1?arch=source&distro=esm-apps/focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.0.23-1
2.0.27-1
2.0.28-1
2.0.29-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.0.29-1",
            "binary_name": "libundertow-java"
        }
    ]
}