CVE-2024-3653

Name of the Vulnerable Software and Affected Versions Undertow (affected versions not specified)

Description A vulnerability was found in Undertow, which requires the learning-push handler to be enabled in the server's config. By default, this handler is disabled. If enabled and the maxAge config in the handler is left unconfigured, the default value of -1 makes the handler vulnerable. An attacker needs to be able to reach the server with a normal HTTP request to exploit this issue.

Recommendations For Undertow, to mitigate this issue, ensure the learning-push handler is disabled if not necessary. If the handler must be enabled, configure the maxAge setting to a value other than the default -1 to prevent the vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.