io.undertow:undertow-core CVE-2024-6162

[jamiejackson]

IDs

CVE-2024-6162

Description

I'm not sure whether there's a data source error or not.

GHSA-9442-gm4v-r222

Here's an alternate listing: https://www.cve.org/CVERecord?id=CVE-2024-6162

False positive from trivy:

{
  "CVE": "CVE-2024-6162",
  "Level": "HIGH",
  "PackageName": "io.undertow:undertow-core",
  "PackagePath": "root/.CommandBox/lib/runwar-5.0.8.jar",
  "InstalledVersion": "2.2.37.Final",
  "FixedVersion": "2.3.14.Final",
  "Title": "undertow: url-encoded request path information can be broken on ajp-listener",
  "Description": "A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as \"404 Not Found\" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up."
}

Reproduction Steps

Repro case.

Target

Container Image

Scanner

Vulnerability

Target OS

No response

Debug Output

% docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/.trivy_cache:/root/.cache/trivy aquasec/trivy image commandbox_test --ignore-unfixed -s HIGH,CRITICAL --scanners vuln --debug
2025-02-21T21:11:09Z    DEBUG   No plugins loaded
2025-02-21T21:11:09Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-02-21T21:11:09Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-02-21T21:11:09Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-02-21T21:11:09Z    DEBUG   Parsed severities       severities=[HIGH CRITICAL]
2025-02-21T21:11:09Z    DEBUG   Ignore statuses statuses=[0 1 2 4 5 6 7]
2025-02-21T21:11:09Z    DEBUG   DB update was skipped because the local DB is the latest
2025-02-21T21:11:09Z    DEBUG   DB info schema=2 updated_at=2025-02-21T12:17:20.758127043Z next_update=2025-02-22T12:17:20.758126763Z downloaded_at=2025-02-21T18:45:13.623429196Z
2025-02-21T21:11:09Z    DEBUG   [pkg] Package types     types=[os library]
2025-02-21T21:11:09Z    DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-02-21T21:11:09Z    INFO    [vuln] Vulnerability scanning is enabled
2025-02-21T21:11:09Z    DEBUG   Initializing scan cache...      type="fs"
2025-02-21T21:11:09Z    DEBUG   [image] Detected image ID       image_id="sha256:175224cb5f5ba67fa676127a0cc14dce76ddf09b0b1b40e417ea1520de0d7222"
2025-02-21T21:11:09Z    DEBUG   [image] Detected diff ID        diff_ids=[sha256:72e830a4dff5f0d5225cdc0a320e85ab1ce06ea5673acfe8d83a7645cbd0e9cf sha256:5836ece05bfd8a5425efcf10075dfd206079fc6c10880dabbc38dd9701ab44bf sha256:34f7184834b2dbb736d5d07c9835e4ca13289b9a90afb40780f7c8a68f2f6ccb sha256:4e9e46b3d434c6e747d29c957962fddf75a6612675fa3888faf3f6ba83a42b2a sha256:fddc3f4ba4088f9b892f4664a4b7fe8c805201c97503e58a1578a1df172238b7]
2025-02-21T21:11:09Z    DEBUG   [image] Detected base layers    diff_ids=[sha256:72e830a4dff5f0d5225cdc0a320e85ab1ce06ea5673acfe8d83a7645cbd0e9cf sha256:5836ece05bfd8a5425efcf10075dfd206079fc6c10880dabbc38dd9701ab44bf sha256:34f7184834b2dbb736d5d07c9835e4ca13289b9a90afb40780f7c8a68f2f6ccb]
2025-02-21T21:11:09Z    INFO    Detected OS     family="alpine" version="3.14.0"
2025-02-21T21:11:09Z    INFO    [alpine] Detecting vulnerabilities...   os_version="3.14" repository="3.14" pkg_num=24
2025-02-21T21:11:09Z    INFO    Number of language-specific files       num=1
2025-02-21T21:11:09Z    INFO    [jar] Detecting vulnerabilities...
2025-02-21T21:11:09Z    DEBUG   [jar] Scanning packages for vulnerabilities     file_path=""
2025-02-21T21:11:09Z    WARN    This OS version is no longer supported by the distribution      family="alpine" version="3.14.0"
2025-02-21T21:11:09Z    WARN    The vulnerability detection may be insufficient because security updates are not provided

commandbox_test (alpine 3.14.0)
===============================
Total: 0 (HIGH: 0, CRITICAL: 0)

2025-02-21T21:11:09Z    DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-02-21T21:11:09Z    DEBUG   [vex] VEX filtering is disabled
2025-02-21T21:11:09Z    INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Java (jar)
==========
Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│                   Library                    │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├──────────────────────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ io.undertow:undertow-core (runwar-5.0.8.jar) │ CVE-2024-6162 │ HIGH     │ fixed  │ 2.2.37.Final      │ 2.3.14.Final  │ undertow: url-encoded request path information can be broken │
│                                              │               │          │        │                   │               │ on ajp-listener                                              │
│                                              │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-6162                    │
└──────────────────────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Version

Version: 0.59.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-02-21 12:17:20.758127043 +0000 UTC
  NextUpdate: 2025-02-22 12:17:20.758126763 +0000 UTC
  DownloadedAt: 2025-02-21 18:45:13.623429196 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-02-14 02:24:51.921228254 +0000 UTC
  NextUpdate: 2025-02-17 02:24:51.921228094 +0000 UTC
  DownloadedAt: 2025-02-21 18:47:07.22447096 +0000 UTC

### Checklist

- [X] Read [the documentation regarding wrong detection](https://aquasecurity.github.io/trivy/dev/community/contribute/discussion/#false-detection)
- [X] Ran Trivy with `-f json` that shows data sources and confirmed that the security advisory in data sources was correct