VYPR
Medium severity5.3GHSA Advisory· Published Jul 8, 2024· Updated Apr 15, 2026

CVE-2024-3653

CVE-2024-3653

Description

A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.undertow:undertow-coreMaven
>= 2.3.0.Alpha1, < 2.3.15.Final2.3.15.Final
io.undertow:undertow-coreMaven
< 2.2.34.Final2.2.34.Final

Affected products

3

Patches

Vulnerability mechanics

References

15

News mentions

0

No linked articles in our index yet.