Medium severity5.3GHSA Advisory· Published Jul 8, 2024· Updated Apr 15, 2026
CVE-2024-3653
CVE-2024-3653
Description
A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.undertow:undertow-coreMaven | >= 2.3.0.Alpha1, < 2.3.15.Final | 2.3.15.Final |
io.undertow:undertow-coreMaven | < 2.2.34.Final | 2.2.34.Final |
Affected products
3- Range: < 2.2.34.Final
- osv-coords2 versions
< 2.3.18-1+ 1 more
- (no CPE)range: < 2.3.18-1
- (no CPE)range: >= 2.3.0.Alpha1, < 2.3.15.Final
Patches
Vulnerability mechanics
References
15- github.com/advisories/GHSA-ch7q-gpff-h9hpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-3653ghsaADVISORY
- access.redhat.com/errata/RHSA-2024:4392nvdWEB
- access.redhat.com/errata/RHSA-2024:5143nvdWEB
- access.redhat.com/errata/RHSA-2024:5144nvdWEB
- access.redhat.com/errata/RHSA-2024:5145nvdWEB
- access.redhat.com/errata/RHSA-2024:5147nvdWEB
- access.redhat.com/errata/RHSA-2024:6437nvdWEB
- access.redhat.com/security/cve/CVE-2024-3653nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/undertow-io/undertow/pull/1639ghsaWEB
- github.com/undertow-io/undertow/pull/1640ghsaWEB
- github.com/undertow-io/undertow/pull/1641ghsaWEB
- issues.redhat.com/browse/UNDERTOW-2382ghsaWEB
- security.netapp.com/advisory/ntap-20240828-0002/nvd
News mentions
0No linked articles in our index yet.