Medium severity5.3NVD Advisory· Published Jul 8, 2024· Updated Apr 15, 2026
CVE-2024-3653
CVE-2024-3653
Description
A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.undertow:undertow-coreMaven | >= 2.3.0.Alpha1, < 2.3.15.Final | 2.3.15.Final |
io.undertow:undertow-coreMaven | < 2.2.34.Final | 2.2.34.Final |
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
15- github.com/advisories/GHSA-ch7q-gpff-h9hpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-3653ghsaADVISORY
- access.redhat.com/errata/RHSA-2024:4392nvdWEB
- access.redhat.com/errata/RHSA-2024:5143nvdWEB
- access.redhat.com/errata/RHSA-2024:5144nvdWEB
- access.redhat.com/errata/RHSA-2024:5145nvdWEB
- access.redhat.com/errata/RHSA-2024:5147nvdWEB
- access.redhat.com/errata/RHSA-2024:6437nvdWEB
- access.redhat.com/security/cve/CVE-2024-3653nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/undertow-io/undertow/pull/1639ghsaWEB
- github.com/undertow-io/undertow/pull/1640ghsaWEB
- github.com/undertow-io/undertow/pull/1641ghsaWEB
- issues.redhat.com/browse/UNDERTOW-2382ghsaWEB
- security.netapp.com/advisory/ntap-20240828-0002/nvd
News mentions
0No linked articles in our index yet.