operatorfabric-core icon indicating copy to clipboard operation
operatorfabric-core copied to clipboard

Published 20 hours ago verified publisher icon opfab

CVE-2024-3653 (Medium) detected in undertow-servlet-2.3.13.Final.jar

Open mend-bolt-for-github[bot] opened this issue 1 year ago • 0 comments

CVE-2024-3653 - Medium Severity Vulnerability

Vulnerable Library - undertow-servlet-2.3.13.Final.jar

Library home page: http://www.jboss.org

Path to dependency file: /services/external-devices/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.undertow/undertow-servlet/2.3.13.Final/b1de937a4a6b5c941e5dda5d6a37c86f09103860/undertow-servlet-2.3.13.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.undertow/undertow-servlet/2.3.13.Final/b1de937a4a6b5c941e5dda5d6a37c86f09103860/undertow-servlet-2.3.13.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.undertow/undertow-servlet/2.3.13.Final/b1de937a4a6b5c941e5dda5d6a37c86f09103860/undertow-servlet-2.3.13.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.undertow/undertow-servlet/2.3.13.Final/b1de937a4a6b5c941e5dda5d6a37c86f09103860/undertow-servlet-2.3.13.Final.jar

Dependency Hierarchy:

  • spring-boot-starter-undertow-3.3.2.jar (Root Library)
    • :x: undertow-servlet-2.3.13.Final.jar (Vulnerable Library)

Found in HEAD commit: c41ef568bfcdd468f539067b28a5490847f990c8

Found in base branch: develop

Vulnerability Details

A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.

Publish Date: 2024-07-08

URL: CVE-2024-3653

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-3653

Release Date: 2024-07-08

Fix Resolution: io.undertow:undertow-core - 2.3.0.Alpha1

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] avatar Aug 14 '24 18:08 mend-bolt-for-github[bot]