A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.
Metrics
Affected Vendors & Products
References
History
Sun, 24 Nov 2024 23:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
CPEs |
Fri, 22 Nov 2024 12:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Sat, 19 Oct 2024 00:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
CPEs | cpe:/a:redhat:camel_spring_boot:3 |
Mon, 23 Sep 2024 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
CPEs | cpe:/a:redhat:quarkus:2 cpe:/a:redhat:quarkus:3.8::el8 |
|
References |
|
Thu, 19 Sep 2024 20:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Metrics |
ssvc
|
Wed, 18 Sep 2024 08:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
CPEs | cpe:/a:redhat:build_keycloak: |
Thu, 29 Aug 2024 20:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Thu, 08 Aug 2024 21:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
CPEs | cpe:/a:redhat:jboss_enterprise_application_platform:7.4 cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 |
|
References |
|
MITRE
Status: PUBLISHED
Assigner: redhat
Published: 2024-07-08T21:21:20.899Z
Updated: 2024-11-24T23:40:26.141Z
Reserved: 2024-04-11T04:14:52.345Z
Link: CVE-2024-3653
Vulnrichment
Updated: 2024-08-28T15:02:47.378Z
NVD
Status : Awaiting Analysis
Published: 2024-07-08T22:15:02.527
Modified: 2024-11-21T09:30:06.253
Link: CVE-2024-3653
Redhat