GSD-2024-3884 — Vulnetix

GSD-2024-3884 PUBLISHED CVSS 7.5 HIGH

A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack.

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

Vendor	Product	Versions
Red Hat	Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9	0:801.3.0-1.GA_redhat_00001.1.el9eap
Red Hat	Red Hat JBoss Data Grid 7
Red Hat	Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 9	0:2.2.39-1.Final_redhat_00001.1.el9eap
Red Hat	Red Hat build of Apache Camel 4 for Quarkus 3
Red Hat	Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9	0:6.6.36-1.Final_redhat_00001.1.el9eap
Red Hat	Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8	*
Red Hat	Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8	0:2.6.6-1.Final_redhat_00001.1.el8eap
Red Hat	Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7	*
Red Hat	Red Hat build of Quarkus
Red Hat	Red Hat JBoss Fuse Service Works 6
Red Hat	Red Hat JBoss Enterprise Application Platform 7.4 ELS on RHEL 8	0:7.4.24-4.GA_redhat_00002.1.el8eap
Red Hat	Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9	0:2.5.0-1.redhat_00001.1.el9eap
Red Hat	Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9	0:2.0.2-1.Final_redhat_00001.1.el9eap
Red Hat	Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9	*
Red Hat	Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8	0:2.5.0-1.redhat_00001.1.el8eap
Red Hat	Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9	0:1.83.0-1.redhat_00001.1.el9eap
Red Hat	Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9	0:4.0.10-1.redhat_00001.1.el9eap
Red Hat	Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8	0:2.0.2-1.Final_redhat_00001.1.el8eap
Red Hat	Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8	*
Red Hat	Red Hat JBoss Enterprise Application Platform 7.4

…and 48 more

Timeline

Apr 17, 2025 CVE Published
Dec 3, 2025 PoC Published
Apr 2, 2026 Distribution Patch
Apr 2, 2026 Distribution Patch
Apr 2, 2026 Distribution Patch
Apr 2, 2026 Distribution Patch
Apr 2, 2026 Distribution Patch
Apr 2, 2026 Distribution Patch
Apr 2, 2026 Distribution Patch
Apr 2, 2026 Distribution Patch
Apr 2, 2026 Distribution Patch
Apr 2, 2026 Distribution Patch

References

RHSA-2026:0383 vendor-advisory
RHSA-2026:0384 vendor-advisory
RHSA-2026:0386 vendor-advisory
RHSA-2026:3889 vendor-advisory
RHSA-2026:3891 vendor-advisory
RHSA-2026:3892 vendor-advisory
RHSA-2026:4915 vendor-advisory
RHSA-2026:4916 vendor-advisory
RHSA-2026:4917 vendor-advisory
RHSA-2026:4924 vendor-advisory
RHSA-2026:6011 vendor-advisory
RHSA-2026:6012 vendor-advisory
https://access.redhat.com/security/cve/CVE-2024-3884 vdb
RHBZ#2275287 issue

Open in Interactive Console →