A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.
History

Sun, 24 Nov 2024 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:camel_spring_boot:3

Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
References

Sat, 19 Oct 2024 00:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:camel_spring_boot:3

Mon, 23 Sep 2024 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:quarkus:3 cpe:/a:redhat:quarkus:2
cpe:/a:redhat:quarkus:3.8::el8
References

Thu, 19 Sep 2024 20:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 18 Sep 2024 08:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak:22 cpe:/a:redhat:build_keycloak:

Thu, 29 Aug 2024 20:30:00 +0000

Type Values Removed Values Added
References

Thu, 08 Aug 2024 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:jboss_enterprise_application_platform:7 cpe:/a:redhat:jboss_enterprise_application_platform:7.4
cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7
cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8
cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9
References

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-07-08T21:21:20.899Z

Updated: 2024-11-24T23:40:26.141Z

Reserved: 2024-04-11T04:14:52.345Z

Link: CVE-2024-3653

cve-icon Vulnrichment

Updated: 2024-08-28T15:02:47.378Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-07-08T22:15:02.527

Modified: 2024-11-21T09:30:06.253

Link: CVE-2024-3653

cve-icon Redhat

Severity : Low

Publid Date: 2024-07-08T20:53:45Z

Links: CVE-2024-3653 - Bugzilla