Skip to content

Commit

Permalink
Merge pull request #4981 from github/jw123023-GHSA-ch7q-gpff-h9hp
Browse files Browse the repository at this point in the history
  • Loading branch information
advisory-database[bot] authored Nov 4, 2024
2 parents 2376a60 + 354e0c5 commit 9184e8d
Showing 1 changed file with 20 additions and 5 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -9,16 +9,31 @@
"summary": "Undertow Missing Release of Memory after Effective Lifetime vulnerability",
"details": "A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
}
],
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.undertow:undertow-core"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "2.3.0.Alpha1"
},
{
"fixed": "2.3.15.Final"
}
]
}
]
},
{
"package": {
"ecosystem": "Maven",
Expand All @@ -32,7 +47,7 @@
"introduced": "0"
},
{
"last_affected": "2.3.14.Final"
"fixed": "2.2.34.Final"
}
]
}
Expand Down

0 comments on commit 9184e8d

Please sign in to comment.