CVE-2024-3653
Published: 08 July 2024
Summary
CVE-2024-3653 is a medium-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 10.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A vulnerability was found in Undertow when the learning-push handler is enabled in the server configuration, a setting that is disabled by default. Leaving the handler's maxAge parameter at its default value of -1 exposes the component to the flaw, which is tracked as CWE-401; configuring a different value for maxAge prevents the issue. The affected software is the Undertow web server, and the weakness can be reached through ordinary network requests.
An unauthenticated attacker with network access can send crafted HTTP requests to trigger the vulnerability, producing a limited denial-of-service condition that affects availability but does not impact confidentiality or integrity. The CVSS 3.1 score of 5.3 reflects the low attack complexity and absence of required privileges or user interaction.
Red Hat has published multiple advisories (RHSA-2024:4392, RHSA-2024:5143, RHSA-2024:5144, RHSA-2024:5145, and RHSA-2024:5147) that address the issue through updated packages for affected products. The current EPSS score remains low at 0.0443 after a modest and temporary peak.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2322
Vulnerability details
A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If…
more
someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.