github · advisory-database · Nov 4, 2024 · Nov 4, 2024
diff --git a/advisories/github-reviewed/2024/07/GHSA-ch7q-gpff-h9hp/GHSA-ch7q-gpff-h9hp.json b/advisories/github-reviewed/2024/07/GHSA-ch7q-gpff-h9hp/GHSA-ch7q-gpff-h9hp.json
@@ -9,16 +9,31 @@
   "summary": "Undertow Missing Release of Memory after Effective Lifetime vulnerability",
   "details": "A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.",
   "severity": [
-    {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
-    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "io.undertow:undertow-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.3.0.Alpha1"
+            },
+            {
+              "fixed": "2.3.15.Final"
+            }
+          ]
+        }
+      ]
+    },
     {
       "package": {
         "ecosystem": "Maven",
@@ -32,7 +47,7 @@
               "introduced": "0"
             },
             {
-              "last_affected": "2.3.14.Final"
+              "fixed": "2.2.34.Final"
             }
           ]
         }