VulnerableCode Package Details - pkg:rpm/redhat/eap7-undertow@2.2.33-1.SP1_redhat

Search for packages

Vulnerability	Summary	Fixed by
VCID-2e6w-fs4j-17g9 Aliases: CVE-2024-27316	HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.	There are no reported fixed by versions.
VCID-brsa-ygcs-wudx Aliases: CVE-2024-5971 GHSA-xpp6-8r3j-ww43	Undertow Denial of Service vulnerability A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected `0\r\n` termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios.	There are no reported fixed by versions.
VCID-bsd5-k44s-buhu Aliases: CVE-2024-3653 GHSA-ch7q-gpff-h9hp	Undertow Missing Release of Memory after Effective Lifetime vulnerability A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-2e6w-fs4j-17g9
Aliases:
CVE-2024-27316

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

There are no reported fixed by versions.

VCID-brsa-ygcs-wudx
Aliases:
CVE-2024-5971
GHSA-xpp6-8r3j-ww43

Undertow Denial of Service vulnerability A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected `0\r\n` termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios.

There are no reported fixed by versions.

VCID-bsd5-k44s-buhu
Aliases:
CVE-2024-3653
GHSA-ch7q-gpff-h9hp

Undertow Missing Release of Memory after Effective Lifetime vulnerability A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:48:35.341150+00:00	RedHat Importer	Affected by	VCID-2e6w-fs4j-17g9	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27316.json	38.0.0
2026-04-01T13:46:29.090429+00:00	RedHat Importer	Affected by	VCID-brsa-ygcs-wudx	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-5971.json	38.0.0
2026-04-01T13:46:29.014938+00:00	RedHat Importer	Affected by	VCID-bsd5-k44s-buhu	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-3653.json	38.0.0