CVE-2024-6162: 
Java vulnerability analysis and mitigation

A vulnerability was found in Undertow (CVE-2024-6162), where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. The vulnerability was discovered and disclosed on June 20, 2024, affecting Undertow versions through 2.2.32 and 2.3.0-alpha1 through 2.3.13. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed (NVD Database, Debian Tracker).

The vulnerability occurs when URL-encoded request paths are processed during concurrent requests specifically on the AJP listener. The core issue stems from using the same buffer to decode paths for multiple requests simultaneously, which leads to path information being incorrectly processed. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a high-severity issue with network accessibility and no required privileges or user interaction (Red Hat CVE).

When exploited, the vulnerability can cause the server to attempt to access incorrect paths, resulting in errors such as '404 Not Found' or other application failures. The primary impact is a potential denial of service (DoS) condition, as legitimate resources become inaccessible due to the path mix-up. This affects the availability of the system while maintaining confidentiality and integrity (NetApp Security).

Multiple vendors have released security updates to address this vulnerability. Red Hat has included fixes in various products including Red Hat Build of Apache Camel 4.4.1 for Spring Boot and JBoss Enterprise Application Platform updates (Red Hat Advisory). NetApp has also acknowledged the vulnerability and is providing updates for affected products (NetApp Security).