A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.
Fixes

Solution

No solution given by the vendor.


Workaround

Setting the maxAge configuration is sufficient to prevent the behavior of this vulnerability being explored.

History

Wed, 18 Jun 2025 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat apache Camel Hawtio
CPEs cpe:/a:redhat:rhboac_hawtio:4 cpe:/a:redhat:apache_camel_hawtio:4
Vendors & Products Redhat rhboac Hawtio
Redhat apache Camel Hawtio

Sun, 24 Nov 2024 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:camel_spring_boot:3

Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
References

Sat, 19 Oct 2024 00:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:camel_spring_boot:3

Mon, 23 Sep 2024 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:quarkus:3 cpe:/a:redhat:quarkus:2
cpe:/a:redhat:quarkus:3.8::el8
References

Thu, 19 Sep 2024 20:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 18 Sep 2024 08:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak:22 cpe:/a:redhat:build_keycloak:

Thu, 29 Aug 2024 20:30:00 +0000

Type Values Removed Values Added
References

Thu, 08 Aug 2024 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:jboss_enterprise_application_platform:7 cpe:/a:redhat:jboss_enterprise_application_platform:7.4
cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7
cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8
cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9
References

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-09-16T13:48:40.926Z

Reserved: 2024-04-11T04:14:52.345Z

Link: CVE-2024-3653

cve-icon Vulnrichment

Updated: 2024-08-28T15:02:47.378Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-07-08T22:15:02.527

Modified: 2024-11-21T09:30:06.253

Link: CVE-2024-3653

cve-icon Redhat

Severity : Low

Publid Date: 2024-07-08T20:53:45Z

Links: CVE-2024-3653 - Bugzilla

cve-icon OpenCVE Enrichment

No data.