[MAVEN:GHSA-CH7Q-GPFF-H9HP] Undertow Missing Release of Memory after Effective Lifetime vulnerability

Severity Moderate
Affected Packages 1
Fixed Packages 1
CVEs 1

A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.

Package Affected Version
pkg:maven/io.undertow/undertow-core <= 2.3.14.Final
Package Fixed Version
pkg:maven/io.undertow/undertow-core = 2.2.34.Final
ID
MAVEN:GHSA-CH7Q-GPFF-H9HP
Severity
moderate
URL
https://github.com/advisories/GHSA-ch7q-gpff-h9hp
Published
2024-07-09T00:31:40
(5 months ago)
Modified
2024-07-09T21:09:49
(5 months ago)
Rights
Maven Security Team
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/io.undertow/undertow-core io.undertow undertow-core <= 2.3.14.Final
Fixed pkg:maven/io.undertow/undertow-core io.undertow undertow-core = 2.2.34.Final
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date
Loading...