Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 2.3.14.SP1, 2.3.15.Final, 2.3.33.SP1, 2.2.34.Final
Affects Version/s: None
Component/s: None
Labels:
None

Git Pull Request:
https://gitlab.cee.redhat.com/undertow-io/undertow/-/merge_requests/88, https://gitlab.cee.redhat.com/undertow-io/undertow/-/merge_requests/91, https://github.com/undertow-io/undertow/pull/1639, https://github.com/undertow-io/undertow/pull/1640, https://github.com/undertow-io/undertow/pull/1641

A vulnerability was found in Undertow. This vulnerability requires enabling the learning-push handler in the server's config (it is disabled by default), leave the maxAge config in the handler unconfigured. The default is -1, so it makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.

Severity: Low

is incorporated by

WFCORE-6900 CVE-2024-3653 CVE-2024-5971 Upgrade Undertow to 2.3.15.Final

Resolved

links to

Bug 2274437 - Red Hat Bugzilla

CVE-2024-3653

Assignee:: Bartosz Baranowski

Reporter:: Bartosz Baranowski

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2024/04/26 9:34 AM

Updated:: 2024/08/14 9:00 AM

Resolved:: 2024/06/20 9:04 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates