Vulnerabilites related to Payara Platform - Payara Server
CVE-2024-45687 (GCVE-0-2024-45687)
Vulnerability from cvelistv5
Published
2025-01-21 16:35
Modified
2025-02-12 20:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Summary
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in Payara Platform Payara Server (Grizzly, REST Management Interface modules), Payara Platform Payara Micro (Grizzly modules) allows Manipulating State, Identity Spoofing.This issue affects Payara Server: from 4.1.151 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0; Payara Micro: from 4.1.152 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Payara Platform | Payara Server |
Version: 4.1.151 < Version: 5.20.0 ≤ 5.70.0 Version: 5.2020.2 ≤ 5.2022.5 Version: 6.2022.1 ≤ 6.2024.12 Version: 6.0.0 ≤ 6.21.0 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45687",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T17:16:04.924874Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:21.565Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Grizzly",
"REST Management Interface"
],
"product": "Payara Server",
"vendor": "Payara Platform",
"versions": [
{
"lessThanOrEqual": "4.1.2.191.51",
"status": "affected",
"version": "4.1.151",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.70.0",
"status": "affected",
"version": "5.20.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.2022.5",
"status": "affected",
"version": "5.2020.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2024.12",
"status": "affected",
"version": "6.2022.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.21.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"Grizzly"
],
"product": "Payara Micro",
"vendor": "Payara Platform",
"versions": [
{
"lessThanOrEqual": "4.1.2.191.51",
"status": "affected",
"version": "4.1.152",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.70.0",
"status": "affected",
"version": "5.20.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.2022.5",
"status": "affected",
"version": "5.2020.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2024.12",
"status": "affected",
"version": "6.2022.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.21.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Ben Kallus"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027) vulnerability in Payara Platform Payara Server (Grizzly, REST Management Interface modules), Payara Platform Payara Micro (Grizzly modules) allows Manipulating State, Identity Spoofing.\u003cp\u003eThis issue affects Payara Server: from 4.1.151 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0; Payara Micro: from 4.1.152 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027) vulnerability in Payara Platform Payara Server (Grizzly, REST Management Interface modules), Payara Platform Payara Micro (Grizzly modules) allows Manipulating State, Identity Spoofing.This issue affects Payara Server: from 4.1.151 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0; Payara Micro: from 4.1.152 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0."
}
],
"impacts": [
{
"capecId": "CAPEC-74",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-74 Manipulating State"
}
]
},
{
"capecId": "CAPEC-151",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-151 Identity Spoofing"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 2.4,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-113",
"description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-21T16:35:43.932Z",
"orgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"shortName": "Payara"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.22.0.html"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/enterprise/docs/5.71.0/Release%20Notes/Release%20Notes%205.71.0.html"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/community/docs/6.2025.1/Release%20Notes/Release%20Notes%206.2025.1.html"
}
],
"source": {
"discovery": "UPSTREAM"
},
"title": "HTTP Server incorrectly accepting disallowed characters within header values",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"assignerShortName": "Payara",
"cveId": "CVE-2024-45687",
"datePublished": "2025-01-21T16:35:43.932Z",
"dateReserved": "2024-09-04T15:55:26.099Z",
"dateUpdated": "2025-02-12T20:41:21.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1534 (GCVE-0-2025-1534)
Vulnerability from cvelistv5
Published
2025-04-01 03:25
Modified
2025-04-07 20:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CVE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
CVE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Payara Platform Payara Server allows : Remote Code Inclusion.This issue affects Payara Server: from 4.1.2.1919.1 before 4.1.2.191.51, from 5.20.0 before 5.68.0, from 6.0.0 before 6.23.0, from 6.2022.1 before 6.2025.2.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Payara Platform | Payara Server |
Version: 4.1.2.1919.1 ≤ Version: 5.20.0 ≤ Version: 6.0.0 ≤ Version: 6.2022.1 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1534",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T14:12:47.247787Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T17:56:27.150Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Payara Server",
"vendor": "Payara Platform",
"versions": [
{
"lessThan": "4.1.2.191.51",
"status": "affected",
"version": "4.1.2.1919.1",
"versionType": "semver"
},
{
"lessThan": "5.68.0",
"status": "affected",
"version": "5.20.0",
"versionType": "semver"
},
{
"lessThan": "6.23.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "6.2025.2",
"status": "affected",
"version": "6.2022.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Marco Ventura"
},
{
"lang": "en",
"type": "reporter",
"value": "Claudia Bartolini"
},
{
"lang": "en",
"type": "reporter",
"value": "Massimiliano Brolli"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Payara Platform Payara Server allows : Remote Code Inclusion.\u003cp\u003eThis issue affects Payara Server: from 4.1.2.1919.1 before 4.1.2.191.51, from 5.20.0 before 5.68.0, from 6.0.0 before 6.23.0, from 6.2022.1 before 6.2025.2.\u003c/p\u003e"
}
],
"value": "CVE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Payara Platform Payara Server allows : Remote Code Inclusion.This issue affects Payara Server: from 4.1.2.1919.1 before 4.1.2.191.51, from 5.20.0 before 5.68.0, from 6.0.0 before 6.23.0, from 6.2022.1 before 6.2025.2."
}
],
"impacts": [
{
"capecId": "CAPEC-253",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-253: Remote Code Inclusion"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/R:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CVE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T20:59:19.493Z",
"orgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"shortName": "Payara"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.24.0.html"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/community/docs/6.2025.3/Release%20Notes/Release%20Notes%206.2025.3.html"
},
{
"tags": [
"media-coverage"
],
"url": "https://www.gruppotim.it/it/footer/red-team.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (Stored)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"assignerShortName": "Payara",
"cveId": "CVE-2025-1534",
"datePublished": "2025-04-01T03:25:30.153Z",
"dateReserved": "2025-02-21T03:16:53.650Z",
"dateUpdated": "2025-04-07T20:59:19.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8215 (GCVE-0-2024-8215)
Vulnerability from cvelistv5
Published
2024-10-08 15:17
Modified
2024-10-08 16:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Payara Platform Payara Server (Admin Console modules) allows Remote Code Inclusion.This issue affects Payara Server: from 5.20.0 before 5.68.0, from 6.0.0 before 6.19.0, from 6.2022.1 before 6.2024.10, from 4.1.2.191.1 before 4.1.2.191.51.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Payara Platform | Payara Server |
Version: 5.20.0 ≤ Version: 6.0.0 ≤ Version: 6.2022.1 ≤ Version: 4.1.2.191.1 < 4.1.2.191.51 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:payara_platform:payara_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "payara_server",
"vendor": "payara_platform",
"versions": [
{
"lessThan": "5.68.0",
"status": "affected",
"version": "5.20.0",
"versionType": "semver"
},
{
"lessThan": "6.19.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "6.2024.10",
"status": "affected",
"version": "6.2022.1",
"versionType": "semver"
},
{
"lessThan": "4.1.2.191.51",
"status": "affected",
"version": "4.1.2.191.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8215",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T16:19:36.750838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T16:24:35.824Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Admin Console"
],
"product": "Payara Server",
"vendor": "Payara Platform",
"versions": [
{
"lessThan": "5.68.0",
"status": "affected",
"version": "5.20.0",
"versionType": "semver"
},
{
"lessThan": "6.19.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "6.2024.10",
"status": "affected",
"version": "6.2022.1",
"versionType": "semver"
},
{
"lessThan": "4.1.2.191.51",
"status": "affected",
"version": "4.1.2.191.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Marco Ventura"
},
{
"lang": "en",
"type": "reporter",
"value": "Claudia Bartolini"
},
{
"lang": "en",
"type": "reporter",
"value": "Andrea Carlo Maria Dattola"
},
{
"lang": "en",
"type": "reporter",
"value": "Debora Esposito"
},
{
"lang": "en",
"type": "reporter",
"value": "Massimiliano Broli"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Payara Platform Payara Server (Admin Console modules) allows Remote Code Inclusion.\u003cp\u003eThis issue affects Payara Server: from 5.20.0 before 5.68.0, from 6.0.0 before 6.19.0, from 6.2022.1 before 6.2024.10, from 4.1.2.191.1 before 4.1.2.191.51.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Payara Platform Payara Server (Admin Console modules) allows Remote Code Inclusion.This issue affects Payara Server: from 5.20.0 before 5.68.0, from 6.0.0 before 6.19.0, from 6.2022.1 before 6.2024.10, from 4.1.2.191.1 before 4.1.2.191.51."
}
],
"impacts": [
{
"capecId": "CAPEC-253",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-253 Remote Code Inclusion"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T15:17:10.178Z",
"orgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"shortName": "Payara"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.19.0.html"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2024.10.html"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/enterprise/docs/5.68.0/Release%20Notes/Release%20Notes%205.68.0.html"
}
],
"source": {
"discovery": "UPSTREAM"
},
"title": "Payload Injection Attack via Management REST interface",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"assignerShortName": "Payara",
"cveId": "CVE-2024-8215",
"datePublished": "2024-10-08T15:17:10.178Z",
"dateReserved": "2024-08-27T11:51:30.618Z",
"dateUpdated": "2024-10-08T16:24:35.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8097 (GCVE-0-2024-8097)
Vulnerability from cvelistv5
Published
2024-09-11 16:32
Modified
2024-09-11 18:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Payara Platform Payara Server (Logging modules) allows Sensitive credentials posted in plain-text on the server log.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.20.0 before 5.67.0, from 5.2020.2 before 5.2022.5, from 4.1.2.191.0 before 4.1.2.191.50.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Payara Platform | Payara Server |
Version: 6.0.0 ≤ Version: 6.2022.1 ≤ Version: 5.20.0 ≤ Version: 5.2020.2 ≤ Version: 4.1.2.191.0 < 4.1.2.191.50 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8097",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T18:52:39.001756Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T18:52:51.760Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Logging"
],
"product": "Payara Server",
"vendor": "Payara Platform",
"versions": [
{
"lessThan": "6.18.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "6.2024.9",
"status": "affected",
"version": "6.2022.1",
"versionType": "semver"
},
{
"lessThan": "5.67.0",
"status": "affected",
"version": "5.20.0",
"versionType": "semver"
},
{
"lessThan": "5.2022.5",
"status": "affected",
"version": "5.2020.2",
"versionType": "semver"
},
{
"lessThan": "4.1.2.191.50",
"status": "affected",
"version": "4.1.2.191.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Marco Ventura"
},
{
"lang": "en",
"type": "reporter",
"value": "Claudia Bartolini"
},
{
"lang": "en",
"type": "reporter",
"value": "Andrea Carlo Maria Dattola"
},
{
"lang": "en",
"type": "reporter",
"value": "Debora Esposito"
},
{
"lang": "en",
"type": "reporter",
"value": "Massimiliano Brolli"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Payara Platform Payara Server (Logging modules) allows Sensitive credentials posted in plain-text on the server log.\u003cp\u003eThis issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.20.0 before 5.67.0, from 5.2020.2 before 5.2022.5, from 4.1.2.191.0 before 4.1.2.191.50.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Payara Platform Payara Server (Logging modules) allows Sensitive credentials posted in plain-text on the server log.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.20.0 before 5.67.0, from 5.2020.2 before 5.2022.5, from 4.1.2.191.0 before 4.1.2.191.50."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Sensitive credentials posted in plain-text on the server log"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T16:32:10.475Z",
"orgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"shortName": "Payara"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2024.9.html"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.18.0.html"
}
],
"source": {
"discovery": "UPSTREAM"
},
"title": "Sensitive information exposure when the org.glassfish.admingui LOGGER is set to FINEST level",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"assignerShortName": "Payara",
"cveId": "CVE-2024-8097",
"datePublished": "2024-09-11T16:32:10.475Z",
"dateReserved": "2024-08-22T15:06:11.250Z",
"dateUpdated": "2024-09-11T18:52:51.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7312 (GCVE-0-2024-7312)
Vulnerability from cvelistv5
Published
2024-09-11 15:28
Modified
2024-09-11 19:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Summary
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Payara Platform Payara Server (REST Management Interface modules) allows Session Hijacking.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.2020.2 before 5.2022.5, from 5.20.0 before 5.67.0, from 4.1.2.191.0 before 4.1.2.191.50.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Payara Platform | Payara Server |
Version: 6.0.0 ≤ Version: 6.2022.1 ≤ Version: 5.2020.2 ≤ Version: 5.20.0 ≤ Version: 4.1.2.191.0 < 4.1.2.191.50 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:payara:payara:*:*:*:*:enterprise:*:*:*"
],
"defaultStatus": "unknown",
"product": "payara",
"vendor": "payara",
"versions": [
{
"lessThan": "6.18.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "6.2024.6",
"status": "affected",
"version": "6.2022.1",
"versionType": "semver"
},
{
"lessThan": "5.2022.5",
"status": "affected",
"version": "5.2020.2",
"versionType": "semver"
},
{
"lessThan": "4.1.2.191.50",
"status": "affected",
"version": "4.1.2.191.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T18:12:12.528111Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T18:15:38.837Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"REST Management Interface"
],
"product": "Payara Server",
"vendor": "Payara Platform",
"versions": [
{
"lessThan": "6.18.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "6.2024.9",
"status": "affected",
"version": "6.2022.1",
"versionType": "semver"
},
{
"lessThan": "5.2022.5",
"status": "affected",
"version": "5.2020.2",
"versionType": "semver"
},
{
"lessThan": "5.67.0",
"status": "affected",
"version": "5.20.0",
"versionType": "semver"
},
{
"lessThan": "4.1.2.191.50",
"status": "affected",
"version": "4.1.2.191.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Marco Ventura"
},
{
"lang": "en",
"type": "reporter",
"value": "Claudia Bartolini"
},
{
"lang": "en",
"type": "reporter",
"value": "Andrea Carlo Maria Dattola"
},
{
"lang": "en",
"type": "reporter",
"value": "Debora Esposito"
},
{
"lang": "en",
"type": "reporter",
"value": "Massimiliano Brolli"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Payara Platform Payara Server (REST Management Interface modules) allows Session Hijacking.\u003cp\u003eThis issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.2020.2 before 5.2022.5, from 5.20.0 before 5.67.0, from 4.1.2.191.0 before 4.1.2.191.50.\u003c/p\u003e"
}
],
"value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Payara Platform Payara Server (REST Management Interface modules) allows Session Hijacking.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.2020.2 before 5.2022.5, from 5.20.0 before 5.67.0, from 4.1.2.191.0 before 4.1.2.191.50."
}
],
"impacts": [
{
"capecId": "CAPEC-593",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-593 Session Hijacking"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T19:32:42.844Z",
"orgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"shortName": "Payara"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/enterprise/docs/5.67.0/Release%20Notes/Release%20Notes%205.67.0.html"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.18.0.html"
}
],
"source": {
"discovery": "UPSTREAM"
},
"title": "REST Interface Link Redirection via Host parameter",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"assignerShortName": "Payara",
"cveId": "CVE-2024-7312",
"datePublished": "2024-09-11T15:28:43.452Z",
"dateReserved": "2024-07-30T20:07:31.604Z",
"dateUpdated": "2024-09-11T19:32:42.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}