Search criteria
18 vulnerabilities found for payara by payara
FKIE_CVE-2025-1534
Vulnerability from fkie_nvd - Published: 2025-04-01 04:15 - Updated: 2025-10-14 17:25
Severity ?
Summary
CVE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Payara Platform Payara Server allows : Remote Code Inclusion.This issue affects Payara Server: from 4.1.2.1919.1 before 4.1.2.191.51, from 5.20.0 before 5.68.0, from 6.0.0 before 6.23.0, from 6.2022.1 before 6.2025.2.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:community:*:*:*",
"matchCriteriaId": "9585BCC9-5D17-41AE-991C-EC4B94DAD720",
"versionEndExcluding": "4.1.2.191.51",
"versionStartIncluding": "4.1.2.191.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "5B1B47A2-B9C1-4C93-AE5A-1772EEAA4F65",
"versionEndExcluding": "5.68.0",
"versionStartIncluding": "5.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "54BD5044-171B-46DC-A4D9-42D7CA12DADA",
"versionEndExcluding": "6.24.0",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:community:*:*:*",
"matchCriteriaId": "42EBCFDC-9538-4229-8FD5-E7EB7A6F73F1",
"versionEndExcluding": "6.2025.3",
"versionStartIncluding": "6.2022.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "CVE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Payara Platform Payara Server allows : Remote Code Inclusion.This issue affects Payara Server: from 4.1.2.1919.1 before 4.1.2.191.51, from 5.20.0 before 5.68.0, from 6.0.0 before 6.23.0, from 6.2022.1 before 6.2025.2."
},
{
"lang": "es",
"value": "CVE-79: Vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web (\u0027Cross-site Scripting\u0027) en Payara Platform Payara Server permite: Inclusi\u00f3n de c\u00f3digo remoto. Este problema afecta a Payara Server: desde 4.1.2.1919.1 antes de 4.1.2.191.51, desde 5.20.0 antes de 5.68.0, desde 6.0.0 antes de 6.23.0, desde 6.2022.1 antes de 6.2025.2."
}
],
"id": "CVE-2025-1534",
"lastModified": "2025-10-14T17:25:28.423",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"type": "Secondary"
}
]
},
"published": "2025-04-01T04:15:44.170",
"references": [
{
"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"tags": [
"Release Notes"
],
"url": "https://docs.payara.fish/community/docs/6.2025.3/Release%20Notes/Release%20Notes%206.2025.3.html"
},
{
"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"tags": [
"Release Notes"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.24.0.html"
},
{
"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"tags": [
"Third Party Advisory"
],
"url": "https://www.gruppotim.it/it/footer/red-team.html"
}
],
"sourceIdentifier": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-8215
Vulnerability from fkie_nvd - Published: 2024-10-08 16:15 - Updated: 2024-10-16 17:58
Severity ?
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Payara Platform Payara Server (Admin Console modules) allows Remote Code Inclusion.This issue affects Payara Server: from 5.20.0 before 5.68.0, from 6.0.0 before 6.19.0, from 6.2022.1 before 6.2024.10, from 4.1.2.191.1 before 4.1.2.191.51.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:community:*:*:*",
"matchCriteriaId": "F39A122C-A150-49C5-81ED-CBBFC5186D89",
"versionEndExcluding": "4.1.2.191.51",
"versionStartIncluding": "4.1.2.191",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "5B1B47A2-B9C1-4C93-AE5A-1772EEAA4F65",
"versionEndExcluding": "5.68.0",
"versionStartIncluding": "5.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "3A7E30D4-42E1-4F53-8EE3-CDD2CCF81BDF",
"versionEndIncluding": "6.19.0",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:community:*:*:*",
"matchCriteriaId": "85985C43-D48F-4675-BF30-B708BF45701A",
"versionEndExcluding": "6.2024.10",
"versionStartIncluding": "6.2022.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Payara Platform Payara Server (Admin Console modules) allows Remote Code Inclusion.This issue affects Payara Server: from 5.20.0 before 5.68.0, from 6.0.0 before 6.19.0, from 6.2022.1 before 6.2024.10, from 4.1.2.191.1 before 4.1.2.191.51."
},
{
"lang": "es",
"value": "Vulnerabilidad de neutralizaci\u00f3n incorrecta de la entrada durante la generaci\u00f3n de p\u00e1ginas web (XSS o \u0027Cross-site Scripting\u0027) en Payara Platform Payara Server (m\u00f3dulos de la consola de administraci\u00f3n) permite la inclusi\u00f3n remota de c\u00f3digo. Este problema afecta a Payara Server: desde 5.20.0 hasta 5.68.0, desde 6.0.0 hasta 6.19.0, desde 6.2022.1 hasta 6.2024.10, desde 4.1.2.191.1 hasta 4.1.2.191.51."
}
],
"id": "CVE-2024-8215",
"lastModified": "2024-10-16T17:58:52.013",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"type": "Secondary"
}
]
},
"published": "2024-10-08T16:15:13.380",
"references": [
{
"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"tags": [
"Release Notes"
],
"url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2024.10.html"
},
{
"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"tags": [
"Release Notes"
],
"url": "https://docs.payara.fish/enterprise/docs/5.68.0/Release%20Notes/Release%20Notes%205.68.0.html"
},
{
"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"tags": [
"Release Notes"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.19.0.html"
}
],
"sourceIdentifier": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-7312
Vulnerability from fkie_nvd - Published: 2024-09-11 16:15 - Updated: 2024-09-13 16:27
Severity ?
Summary
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Payara Platform Payara Server (REST Management Interface modules) allows Session Hijacking.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.2020.2 before 5.2022.5, from 5.20.0 before 5.67.0, from 4.1.2.191.0 before 4.1.2.191.50.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:community:*:*:*",
"matchCriteriaId": "2CB09C88-3E34-43D4-AD55-73821A0F462E",
"versionEndExcluding": "4.1.2.191.50",
"versionStartIncluding": "4.1.2.191.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "34A634E3-24B0-4E29-8B62-8E6F6A68D0AA",
"versionEndExcluding": "5.67.0",
"versionStartIncluding": "5.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:community:*:*:*",
"matchCriteriaId": "E0E17F5A-30D2-407F-8570-8B82509B9055",
"versionEndExcluding": "5.2022.5",
"versionStartIncluding": "5.2020.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "EF14AD8C-DBCC-4739-9058-9AF97D71323E",
"versionEndExcluding": "6.18.0",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:community:*:*:*",
"matchCriteriaId": "2A479A71-9114-46E4-BFA3-BB7FD36FA56A",
"versionEndExcluding": "6.2024.9",
"versionStartIncluding": "6.2022.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Payara Platform Payara Server (REST Management Interface modules) allows Session Hijacking.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.2020.2 before 5.2022.5, from 5.20.0 before 5.67.0, from 4.1.2.191.0 before 4.1.2.191.50."
},
{
"lang": "es",
"value": "Vulnerabilidad de redirecci\u00f3n de URL a un sitio no confiable (\u0027Redirecci\u00f3n abierta\u0027) en Payara Platform Payara Server (m\u00f3dulos de interfaz de administraci\u00f3n REST) permite el secuestro de sesi\u00f3n. Este problema afecta a Payara Server: desde 6.0.0 antes de 6.18.0, desde 6.2022.1 antes de 6.2024.9, desde 5.2020.2 antes de 5.2022.5, desde 5.20.0 antes de 5.67.0, desde 4.1.2.191.0 antes de 4.1.2.191.50."
}
],
"id": "CVE-2024-7312",
"lastModified": "2024-09-13T16:27:50.577",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"type": "Secondary"
}
]
},
"published": "2024-09-11T16:15:08.080",
"references": [
{
"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"tags": [
"Release Notes"
],
"url": "https://docs.payara.fish/enterprise/docs/5.67.0/Release%20Notes/Release%20Notes%205.67.0.html"
},
{
"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"tags": [
"Release Notes"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.18.0.html"
}
],
"sourceIdentifier": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-41699
Vulnerability from fkie_nvd - Published: 2023-11-15 20:15 - Updated: 2024-11-21 08:21
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Payara Platform Payara Server, Micro and Embedded (Servlet Implementation modules) allows Redirect Access to Libraries.This issue affects Payara Server, Micro and Embedded: from 5.0.0 before 5.57.0, from 4.1.2.191 before 4.1.2.191.46, from 6.0.0 before 6.8.0, from 6.2023.1 before 6.2023.11.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:community:*:*:*",
"matchCriteriaId": "ADFB7392-9992-4248-BDAB-2320A4C59274",
"versionEndExcluding": "4.1.2.191.46",
"versionStartIncluding": "4.1.2.191",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "A4D9499F-D000-47D3-93ED-853F62375552",
"versionEndExcluding": "5.57.0",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "0DAE4FFA-8969-4B46-8D23-D3B513FFE294",
"versionEndExcluding": "6.8.0",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:community:*:*:*",
"matchCriteriaId": "58FBC93E-5A50-436A-98D9-11F4D12AEB4B",
"versionEndExcluding": "6.2023.11",
"versionStartIncluding": "6.2023.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Payara Platform Payara Server, Micro and Embedded (Servlet Implementation modules) allows Redirect Access to Libraries.This issue affects Payara Server, Micro and Embedded: from 5.0.0 before 5.57.0, from 4.1.2.191 before 4.1.2.191.46, from 6.0.0 before 6.8.0, from 6.2023.1 before 6.2023.11.\n\n"
},
{
"lang": "es",
"value": "Vulnerabilidad de redirecci\u00f3n de URL a sitio no confiable (\u0027Open Redirect\u0027) en Payara Platform Payara Server, Micro y Embedded (m\u00f3dulos de implementaci\u00f3n de Servlet) permite el acceso de redireccionamiento a librer\u00edas. Este problema afecta a Payara Server, Micro y Embedded: desde 5.0.0 antes de 5.57.0 , desde 4.1.2.191 anterior a 4.1.2.191.46, desde 6.0.0 anterior a 6.8.0, desde 6.2023.1 anterior a 6.2023.11."
}
],
"id": "CVE-2023-41699",
"lastModified": "2024-11-21T08:21:30.130",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-15T20:15:07.580",
"references": [
{
"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"tags": [
"Release Notes"
],
"url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2023.11.html"
},
{
"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"tags": [
"Release Notes"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.8.0.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2023.11.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.8.0.html"
}
],
"sourceIdentifier": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-45129
Vulnerability from fkie_nvd - Published: 2022-11-10 06:15 - Updated: 2025-05-01 14:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Payara before 2022-11-04, when deployed to the root context, allows attackers to visit META-INF and WEB-INF, a different vulnerability than CVE-2022-37422. This affects Payara Platform Community before 4.1.2.191.38, 5.x before 5.2022.4, and 6.x before 6.2022.1, and Payara Platform Enterprise before 5.45.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:community:*:*:*",
"matchCriteriaId": "E3A4E671-807C-427F-99F9-8432AC4BF9AE",
"versionEndExcluding": "4.1.2.191.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "166832EB-78AC-45D0-9CBC-6224B42F6377",
"versionEndExcluding": "5.45.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:community:*:*:*",
"matchCriteriaId": "164CD4C9-D211-45C5-8B34-441A549C197C",
"versionEndExcluding": "5.2022.4",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:community:*:*:*",
"matchCriteriaId": "13FD7C98-C2AC-44DE-BD23-0AB067E2AB0B",
"versionEndExcluding": "6.2022.1",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Payara before 2022-11-04, when deployed to the root context, allows attackers to visit META-INF and WEB-INF, a different vulnerability than CVE-2022-37422. This affects Payara Platform Community before 4.1.2.191.38, 5.x before 5.2022.4, and 6.x before 6.2022.1, and Payara Platform Enterprise before 5.45.0."
},
{
"lang": "es",
"value": "Payara antes del 4 de noviembre de 2022, cuando se implementaba en el contexto root, permit\u00eda a los atacantes visitar META-INF y WEB-INF, una vulnerabilidad diferente a CVE-2022-37422. Esto afecta a Payara Platform Community antes de 4.1.2.191.38, 5.x antes de 5.2022.4 y 6.x antes de 6.2022.1, y a Payara Platform Enterprise antes de 5.45.0."
}
],
"id": "CVE-2022-45129",
"lastModified": "2025-05-01T14:15:33.720",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-11-10T06:15:13.813",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/169864/Payara-Platform-Path-Traversal.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2022/Nov/11"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.payara.fish/whats-new-in-the-november-2022-payara-platform-release"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.payara.fish/community/docs/6.2022.1/Release%20Notes/Release%20Notes%206.2022.1.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%205.2022.4.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%205.45.0.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/payara/Payara/commit/cccdfddeda71c78ae7b3179db5429e1bb8a56b2e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/169864/Payara-Platform-Path-Traversal.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2022/Nov/11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.payara.fish/whats-new-in-the-november-2022-payara-platform-release"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.payara.fish/community/docs/6.2022.1/Release%20Notes/Release%20Notes%206.2022.1.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%205.2022.4.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%205.45.0.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/payara/Payara/commit/cccdfddeda71c78ae7b3179db5429e1bb8a56b2e"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-552"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-552"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-37422
Vulnerability from fkie_nvd - Published: 2022-08-18 19:15 - Updated: 2024-11-21 07:14
Severity ?
Summary
Payara through 5.2022.2 allows directory traversal without authentication. This affects Payara Server, Payara Micro, and Payara Server Embedded.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://blog.payara.fish/august-community-5-release | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://www.payara.fish/downloads/ | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.payara.fish/august-community-5-release | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.payara.fish/downloads/ | Product |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "DD6C9BF7-1CEC-4052-81A1-8D2C2269AC9B",
"versionEndExcluding": "4.1.2.191.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:community:*:*:*",
"matchCriteriaId": "2D7EDD1C-D206-43E7-BBC3-2A51983808C8",
"versionEndExcluding": "5.2022.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:enterprise:*:*:*",
"matchCriteriaId": "7492FF19-9131-4230-ADD9-997E6A80354B",
"versionEndExcluding": "5.42.0",
"versionStartIncluding": "5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Payara through 5.2022.2 allows directory traversal without authentication. This affects Payara Server, Payara Micro, and Payara Server Embedded."
},
{
"lang": "es",
"value": "Payara versiones hasta 5.2022.2, permite un salto de directorio sin autenticaci\u00f3n. Esto afecta a Payara Server, Payara Micro y Payara Server Embedded."
}
],
"id": "CVE-2022-37422",
"lastModified": "2024-11-21T07:14:57.710",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-18T19:15:14.663",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.payara.fish/august-community-5-release"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.payara.fish/downloads/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.payara.fish/august-community-5-release"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.payara.fish/downloads/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-1534 (GCVE-0-2025-1534)
Vulnerability from cvelistv5 – Published: 2025-04-01 03:25 – Updated: 2025-04-07 20:59
VLAI?
Title
Cross-site Scripting (Stored)
Summary
CVE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Payara Platform Payara Server allows : Remote Code Inclusion.This issue affects Payara Server: from 4.1.2.1919.1 before 4.1.2.191.51, from 5.20.0 before 5.68.0, from 6.0.0 before 6.23.0, from 6.2022.1 before 6.2025.2.
Severity ?
CWE
- CVE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Payara Platform | Payara Server |
Affected:
4.1.2.1919.1 , < 4.1.2.191.51
(semver)
Affected: 5.20.0 , < 5.68.0 (semver) Affected: 6.0.0 , < 6.23.0 (semver) Affected: 6.2022.1 , < 6.2025.2 (semver) |
Credits
Marco Ventura
Claudia Bartolini
Massimiliano Brolli
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1534",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T14:12:47.247787Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T17:56:27.150Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Payara Server",
"vendor": "Payara Platform",
"versions": [
{
"lessThan": "4.1.2.191.51",
"status": "affected",
"version": "4.1.2.1919.1",
"versionType": "semver"
},
{
"lessThan": "5.68.0",
"status": "affected",
"version": "5.20.0",
"versionType": "semver"
},
{
"lessThan": "6.23.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "6.2025.2",
"status": "affected",
"version": "6.2022.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Marco Ventura"
},
{
"lang": "en",
"type": "reporter",
"value": "Claudia Bartolini"
},
{
"lang": "en",
"type": "reporter",
"value": "Massimiliano Brolli"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Payara Platform Payara Server allows : Remote Code Inclusion.\u003cp\u003eThis issue affects Payara Server: from 4.1.2.1919.1 before 4.1.2.191.51, from 5.20.0 before 5.68.0, from 6.0.0 before 6.23.0, from 6.2022.1 before 6.2025.2.\u003c/p\u003e"
}
],
"value": "CVE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Payara Platform Payara Server allows : Remote Code Inclusion.This issue affects Payara Server: from 4.1.2.1919.1 before 4.1.2.191.51, from 5.20.0 before 5.68.0, from 6.0.0 before 6.23.0, from 6.2022.1 before 6.2025.2."
}
],
"impacts": [
{
"capecId": "CAPEC-253",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-253: Remote Code Inclusion"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/R:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CVE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T20:59:19.493Z",
"orgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"shortName": "Payara"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.24.0.html"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/community/docs/6.2025.3/Release%20Notes/Release%20Notes%206.2025.3.html"
},
{
"tags": [
"media-coverage"
],
"url": "https://www.gruppotim.it/it/footer/red-team.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (Stored)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"assignerShortName": "Payara",
"cveId": "CVE-2025-1534",
"datePublished": "2025-04-01T03:25:30.153Z",
"dateReserved": "2025-02-21T03:16:53.650Z",
"dateUpdated": "2025-04-07T20:59:19.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8215 (GCVE-0-2024-8215)
Vulnerability from cvelistv5 – Published: 2024-10-08 15:17 – Updated: 2024-10-08 16:24
VLAI?
Title
Payload Injection Attack via Management REST interface
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Payara Platform Payara Server (Admin Console modules) allows Remote Code Inclusion.This issue affects Payara Server: from 5.20.0 before 5.68.0, from 6.0.0 before 6.19.0, from 6.2022.1 before 6.2024.10, from 4.1.2.191.1 before 4.1.2.191.51.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Payara Platform | Payara Server |
Affected:
5.20.0 , < 5.68.0
(semver)
Affected: 6.0.0 , < 6.19.0 (semver) Affected: 6.2022.1 , < 6.2024.10 (semver) Affected: 4.1.2.191.1 , < 4.1.2.191.51 (custom) |
Credits
Marco Ventura
Claudia Bartolini
Andrea Carlo Maria Dattola
Debora Esposito
Massimiliano Broli
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:payara_platform:payara_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "payara_server",
"vendor": "payara_platform",
"versions": [
{
"lessThan": "5.68.0",
"status": "affected",
"version": "5.20.0",
"versionType": "semver"
},
{
"lessThan": "6.19.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "6.2024.10",
"status": "affected",
"version": "6.2022.1",
"versionType": "semver"
},
{
"lessThan": "4.1.2.191.51",
"status": "affected",
"version": "4.1.2.191.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8215",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T16:19:36.750838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T16:24:35.824Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Admin Console"
],
"product": "Payara Server",
"vendor": "Payara Platform",
"versions": [
{
"lessThan": "5.68.0",
"status": "affected",
"version": "5.20.0",
"versionType": "semver"
},
{
"lessThan": "6.19.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "6.2024.10",
"status": "affected",
"version": "6.2022.1",
"versionType": "semver"
},
{
"lessThan": "4.1.2.191.51",
"status": "affected",
"version": "4.1.2.191.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Marco Ventura"
},
{
"lang": "en",
"type": "reporter",
"value": "Claudia Bartolini"
},
{
"lang": "en",
"type": "reporter",
"value": "Andrea Carlo Maria Dattola"
},
{
"lang": "en",
"type": "reporter",
"value": "Debora Esposito"
},
{
"lang": "en",
"type": "reporter",
"value": "Massimiliano Broli"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Payara Platform Payara Server (Admin Console modules) allows Remote Code Inclusion.\u003cp\u003eThis issue affects Payara Server: from 5.20.0 before 5.68.0, from 6.0.0 before 6.19.0, from 6.2022.1 before 6.2024.10, from 4.1.2.191.1 before 4.1.2.191.51.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Payara Platform Payara Server (Admin Console modules) allows Remote Code Inclusion.This issue affects Payara Server: from 5.20.0 before 5.68.0, from 6.0.0 before 6.19.0, from 6.2022.1 before 6.2024.10, from 4.1.2.191.1 before 4.1.2.191.51."
}
],
"impacts": [
{
"capecId": "CAPEC-253",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-253 Remote Code Inclusion"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T15:17:10.178Z",
"orgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"shortName": "Payara"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.19.0.html"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2024.10.html"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/enterprise/docs/5.68.0/Release%20Notes/Release%20Notes%205.68.0.html"
}
],
"source": {
"discovery": "UPSTREAM"
},
"title": "Payload Injection Attack via Management REST interface",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"assignerShortName": "Payara",
"cveId": "CVE-2024-8215",
"datePublished": "2024-10-08T15:17:10.178Z",
"dateReserved": "2024-08-27T11:51:30.618Z",
"dateUpdated": "2024-10-08T16:24:35.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7312 (GCVE-0-2024-7312)
Vulnerability from cvelistv5 – Published: 2024-09-11 15:28 – Updated: 2024-09-11 19:32
VLAI?
Title
REST Interface Link Redirection via Host parameter
Summary
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Payara Platform Payara Server (REST Management Interface modules) allows Session Hijacking.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.2020.2 before 5.2022.5, from 5.20.0 before 5.67.0, from 4.1.2.191.0 before 4.1.2.191.50.
Severity ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Payara Platform | Payara Server |
Affected:
6.0.0 , < 6.18.0
(semver)
Affected: 6.2022.1 , < 6.2024.9 (semver) Affected: 5.2020.2 , < 5.2022.5 (semver) Affected: 5.20.0 , < 5.67.0 (semver) Affected: 4.1.2.191.0 , < 4.1.2.191.50 (custom) |
Credits
Marco Ventura
Claudia Bartolini
Andrea Carlo Maria Dattola
Debora Esposito
Massimiliano Brolli
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:payara:payara:*:*:*:*:enterprise:*:*:*"
],
"defaultStatus": "unknown",
"product": "payara",
"vendor": "payara",
"versions": [
{
"lessThan": "6.18.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "6.2024.6",
"status": "affected",
"version": "6.2022.1",
"versionType": "semver"
},
{
"lessThan": "5.2022.5",
"status": "affected",
"version": "5.2020.2",
"versionType": "semver"
},
{
"lessThan": "4.1.2.191.50",
"status": "affected",
"version": "4.1.2.191.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T18:12:12.528111Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T18:15:38.837Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"REST Management Interface"
],
"product": "Payara Server",
"vendor": "Payara Platform",
"versions": [
{
"lessThan": "6.18.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "6.2024.9",
"status": "affected",
"version": "6.2022.1",
"versionType": "semver"
},
{
"lessThan": "5.2022.5",
"status": "affected",
"version": "5.2020.2",
"versionType": "semver"
},
{
"lessThan": "5.67.0",
"status": "affected",
"version": "5.20.0",
"versionType": "semver"
},
{
"lessThan": "4.1.2.191.50",
"status": "affected",
"version": "4.1.2.191.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Marco Ventura"
},
{
"lang": "en",
"type": "reporter",
"value": "Claudia Bartolini"
},
{
"lang": "en",
"type": "reporter",
"value": "Andrea Carlo Maria Dattola"
},
{
"lang": "en",
"type": "reporter",
"value": "Debora Esposito"
},
{
"lang": "en",
"type": "reporter",
"value": "Massimiliano Brolli"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Payara Platform Payara Server (REST Management Interface modules) allows Session Hijacking.\u003cp\u003eThis issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.2020.2 before 5.2022.5, from 5.20.0 before 5.67.0, from 4.1.2.191.0 before 4.1.2.191.50.\u003c/p\u003e"
}
],
"value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Payara Platform Payara Server (REST Management Interface modules) allows Session Hijacking.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.2020.2 before 5.2022.5, from 5.20.0 before 5.67.0, from 4.1.2.191.0 before 4.1.2.191.50."
}
],
"impacts": [
{
"capecId": "CAPEC-593",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-593 Session Hijacking"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T19:32:42.844Z",
"orgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"shortName": "Payara"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/enterprise/docs/5.67.0/Release%20Notes/Release%20Notes%205.67.0.html"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.18.0.html"
}
],
"source": {
"discovery": "UPSTREAM"
},
"title": "REST Interface Link Redirection via Host parameter",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"assignerShortName": "Payara",
"cveId": "CVE-2024-7312",
"datePublished": "2024-09-11T15:28:43.452Z",
"dateReserved": "2024-07-30T20:07:31.604Z",
"dateUpdated": "2024-09-11T19:32:42.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41699 (GCVE-0-2023-41699)
Vulnerability from cvelistv5 – Published: 2023-11-15 19:54 – Updated: 2024-08-29 17:37
VLAI?
Title
Payara Platform: URL Redirection to untrusted site using FORM authentication
Summary
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Payara Platform Payara Server, Micro and Embedded (Servlet Implementation modules) allows Redirect Access to Libraries.This issue affects Payara Server, Micro and Embedded: from 5.0.0 before 5.57.0, from 4.1.2.191 before 4.1.2.191.46, from 6.0.0 before 6.8.0, from 6.2023.1 before 6.2023.11.
Severity ?
6.1 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Payara Platform | Payara Server, Micro and Embedded |
Affected:
5.0.0 , < 5.57.0
(semver)
Affected: 4.1.2.191 , < 4.1.2.191.46 (semver) Affected: 6.0.0 , < 6.8.0 (semver) Affected: 6.2023.1 , < 6.2023.11 (semver) |
Credits
Hiroki Sawamura from Fujitsu
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:01:35.420Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.8.0.html"
},
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2023.11.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41699",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T17:36:42.715958Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T17:37:00.722Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Servlet Implementation"
],
"product": "Payara Server, Micro and Embedded",
"vendor": "Payara Platform",
"versions": [
{
"lessThan": "5.57.0",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
},
{
"lessThan": "4.1.2.191.46",
"status": "affected",
"version": "4.1.2.191",
"versionType": "semver"
},
{
"lessThan": "6.8.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "6.2023.11",
"status": "affected",
"version": "6.2023.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Hiroki Sawamura from Fujitsu"
}
],
"datePublic": "2023-11-16T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Payara Platform Payara Server, Micro and Embedded (Servlet Implementation modules) allows Redirect Access to Libraries.\u003cp\u003eThis issue affects Payara Server, Micro and Embedded: from 5.0.0 before 5.57.0, from 4.1.2.191 before 4.1.2.191.46, from 6.0.0 before 6.8.0, from 6.2023.1 before 6.2023.11.\u003c/p\u003e"
}
],
"value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Payara Platform Payara Server, Micro and Embedded (Servlet Implementation modules) allows Redirect Access to Libraries.This issue affects Payara Server, Micro and Embedded: from 5.0.0 before 5.57.0, from 4.1.2.191 before 4.1.2.191.46, from 6.0.0 before 6.8.0, from 6.2023.1 before 6.2023.11.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-159",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-159 Redirect Access to Libraries"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-15T19:57:20.119Z",
"orgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"shortName": "Payara"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.8.0.html"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2023.11.html"
}
],
"source": {
"defect": [
"CVE-2023-41080"
],
"discovery": "INTERNAL"
},
"title": "Payara Platform: URL Redirection to untrusted site using FORM authentication",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"assignerShortName": "Payara",
"cveId": "CVE-2023-41699",
"datePublished": "2023-11-15T19:54:23.590Z",
"dateReserved": "2023-08-30T16:08:29.041Z",
"dateUpdated": "2024-08-29T17:37:00.722Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45129 (GCVE-0-2022-45129)
Vulnerability from cvelistv5 – Published: 2022-11-10 00:00 – Updated: 2025-05-01 13:42
VLAI?
Summary
Payara before 2022-11-04, when deployed to the root context, allows attackers to visit META-INF and WEB-INF, a different vulnerability than CVE-2022-37422. This affects Payara Platform Community before 4.1.2.191.38, 5.x before 5.2022.4, and 6.x before 6.2022.1, and Payara Platform Enterprise before 5.45.0.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:01:31.594Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://blog.payara.fish/whats-new-in-the-november-2022-payara-platform-release"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%205.45.0.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%205.2022.4.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.payara.fish/community/docs/6.2022.1/Release%20Notes/Release%20Notes%206.2022.1.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/payara/Payara/commit/cccdfddeda71c78ae7b3179db5429e1bb8a56b2e"
},
{
"name": "20221115 SEC Consult SA-20221114-0 :: Path Traversal Vulnerability in Payara Platform",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/Nov/11"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/169864/Payara-Platform-Path-Traversal.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45129",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T13:41:07.533850Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T13:42:02.196Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Payara before 2022-11-04, when deployed to the root context, allows attackers to visit META-INF and WEB-INF, a different vulnerability than CVE-2022-37422. This affects Payara Platform Community before 4.1.2.191.38, 5.x before 5.2022.4, and 6.x before 6.2022.1, and Payara Platform Enterprise before 5.45.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://blog.payara.fish/whats-new-in-the-november-2022-payara-platform-release"
},
{
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%205.45.0.html"
},
{
"url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%205.2022.4.html"
},
{
"url": "https://docs.payara.fish/community/docs/6.2022.1/Release%20Notes/Release%20Notes%206.2022.1.html"
},
{
"url": "https://github.com/payara/Payara/commit/cccdfddeda71c78ae7b3179db5429e1bb8a56b2e"
},
{
"name": "20221115 SEC Consult SA-20221114-0 :: Path Traversal Vulnerability in Payara Platform",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2022/Nov/11"
},
{
"url": "http://packetstormsecurity.com/files/169864/Payara-Platform-Path-Traversal.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-45129",
"datePublished": "2022-11-10T00:00:00.000Z",
"dateReserved": "2022-11-10T00:00:00.000Z",
"dateUpdated": "2025-05-01T13:42:02.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-37422 (GCVE-0-2022-37422)
Vulnerability from cvelistv5 – Published: 2022-08-18 18:02 – Updated: 2024-08-03 10:29
VLAI?
Summary
Payara through 5.2022.2 allows directory traversal without authentication. This affects Payara Server, Payara Micro, and Payara Server Embedded.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:29:20.971Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.payara.fish/downloads/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.payara.fish/august-community-5-release"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Payara through 5.2022.2 allows directory traversal without authentication. This affects Payara Server, Payara Micro, and Payara Server Embedded."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-18T18:02:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.payara.fish/downloads/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.payara.fish/august-community-5-release"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-37422",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Payara through 5.2022.2 allows directory traversal without authentication. This affects Payara Server, Payara Micro, and Payara Server Embedded."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.payara.fish/downloads/",
"refsource": "MISC",
"url": "https://www.payara.fish/downloads/"
},
{
"name": "https://blog.payara.fish/august-community-5-release",
"refsource": "MISC",
"url": "https://blog.payara.fish/august-community-5-release"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-37422",
"datePublished": "2022-08-18T18:02:01",
"dateReserved": "2022-08-05T00:00:00",
"dateUpdated": "2024-08-03T10:29:20.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1534 (GCVE-0-2025-1534)
Vulnerability from nvd – Published: 2025-04-01 03:25 – Updated: 2025-04-07 20:59
VLAI?
Title
Cross-site Scripting (Stored)
Summary
CVE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Payara Platform Payara Server allows : Remote Code Inclusion.This issue affects Payara Server: from 4.1.2.1919.1 before 4.1.2.191.51, from 5.20.0 before 5.68.0, from 6.0.0 before 6.23.0, from 6.2022.1 before 6.2025.2.
Severity ?
CWE
- CVE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Payara Platform | Payara Server |
Affected:
4.1.2.1919.1 , < 4.1.2.191.51
(semver)
Affected: 5.20.0 , < 5.68.0 (semver) Affected: 6.0.0 , < 6.23.0 (semver) Affected: 6.2022.1 , < 6.2025.2 (semver) |
Credits
Marco Ventura
Claudia Bartolini
Massimiliano Brolli
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1534",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T14:12:47.247787Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T17:56:27.150Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Payara Server",
"vendor": "Payara Platform",
"versions": [
{
"lessThan": "4.1.2.191.51",
"status": "affected",
"version": "4.1.2.1919.1",
"versionType": "semver"
},
{
"lessThan": "5.68.0",
"status": "affected",
"version": "5.20.0",
"versionType": "semver"
},
{
"lessThan": "6.23.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "6.2025.2",
"status": "affected",
"version": "6.2022.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Marco Ventura"
},
{
"lang": "en",
"type": "reporter",
"value": "Claudia Bartolini"
},
{
"lang": "en",
"type": "reporter",
"value": "Massimiliano Brolli"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "CVE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Payara Platform Payara Server allows : Remote Code Inclusion.\u003cp\u003eThis issue affects Payara Server: from 4.1.2.1919.1 before 4.1.2.191.51, from 5.20.0 before 5.68.0, from 6.0.0 before 6.23.0, from 6.2022.1 before 6.2025.2.\u003c/p\u003e"
}
],
"value": "CVE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Payara Platform Payara Server allows : Remote Code Inclusion.This issue affects Payara Server: from 4.1.2.1919.1 before 4.1.2.191.51, from 5.20.0 before 5.68.0, from 6.0.0 before 6.23.0, from 6.2022.1 before 6.2025.2."
}
],
"impacts": [
{
"capecId": "CAPEC-253",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-253: Remote Code Inclusion"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/R:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CVE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T20:59:19.493Z",
"orgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"shortName": "Payara"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.24.0.html"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/community/docs/6.2025.3/Release%20Notes/Release%20Notes%206.2025.3.html"
},
{
"tags": [
"media-coverage"
],
"url": "https://www.gruppotim.it/it/footer/red-team.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (Stored)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"assignerShortName": "Payara",
"cveId": "CVE-2025-1534",
"datePublished": "2025-04-01T03:25:30.153Z",
"dateReserved": "2025-02-21T03:16:53.650Z",
"dateUpdated": "2025-04-07T20:59:19.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8215 (GCVE-0-2024-8215)
Vulnerability from nvd – Published: 2024-10-08 15:17 – Updated: 2024-10-08 16:24
VLAI?
Title
Payload Injection Attack via Management REST interface
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Payara Platform Payara Server (Admin Console modules) allows Remote Code Inclusion.This issue affects Payara Server: from 5.20.0 before 5.68.0, from 6.0.0 before 6.19.0, from 6.2022.1 before 6.2024.10, from 4.1.2.191.1 before 4.1.2.191.51.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Payara Platform | Payara Server |
Affected:
5.20.0 , < 5.68.0
(semver)
Affected: 6.0.0 , < 6.19.0 (semver) Affected: 6.2022.1 , < 6.2024.10 (semver) Affected: 4.1.2.191.1 , < 4.1.2.191.51 (custom) |
Credits
Marco Ventura
Claudia Bartolini
Andrea Carlo Maria Dattola
Debora Esposito
Massimiliano Broli
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:payara_platform:payara_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "payara_server",
"vendor": "payara_platform",
"versions": [
{
"lessThan": "5.68.0",
"status": "affected",
"version": "5.20.0",
"versionType": "semver"
},
{
"lessThan": "6.19.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "6.2024.10",
"status": "affected",
"version": "6.2022.1",
"versionType": "semver"
},
{
"lessThan": "4.1.2.191.51",
"status": "affected",
"version": "4.1.2.191.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8215",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T16:19:36.750838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T16:24:35.824Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Admin Console"
],
"product": "Payara Server",
"vendor": "Payara Platform",
"versions": [
{
"lessThan": "5.68.0",
"status": "affected",
"version": "5.20.0",
"versionType": "semver"
},
{
"lessThan": "6.19.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "6.2024.10",
"status": "affected",
"version": "6.2022.1",
"versionType": "semver"
},
{
"lessThan": "4.1.2.191.51",
"status": "affected",
"version": "4.1.2.191.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Marco Ventura"
},
{
"lang": "en",
"type": "reporter",
"value": "Claudia Bartolini"
},
{
"lang": "en",
"type": "reporter",
"value": "Andrea Carlo Maria Dattola"
},
{
"lang": "en",
"type": "reporter",
"value": "Debora Esposito"
},
{
"lang": "en",
"type": "reporter",
"value": "Massimiliano Broli"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Payara Platform Payara Server (Admin Console modules) allows Remote Code Inclusion.\u003cp\u003eThis issue affects Payara Server: from 5.20.0 before 5.68.0, from 6.0.0 before 6.19.0, from 6.2022.1 before 6.2024.10, from 4.1.2.191.1 before 4.1.2.191.51.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Payara Platform Payara Server (Admin Console modules) allows Remote Code Inclusion.This issue affects Payara Server: from 5.20.0 before 5.68.0, from 6.0.0 before 6.19.0, from 6.2022.1 before 6.2024.10, from 4.1.2.191.1 before 4.1.2.191.51."
}
],
"impacts": [
{
"capecId": "CAPEC-253",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-253 Remote Code Inclusion"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T15:17:10.178Z",
"orgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"shortName": "Payara"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.19.0.html"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2024.10.html"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/enterprise/docs/5.68.0/Release%20Notes/Release%20Notes%205.68.0.html"
}
],
"source": {
"discovery": "UPSTREAM"
},
"title": "Payload Injection Attack via Management REST interface",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"assignerShortName": "Payara",
"cveId": "CVE-2024-8215",
"datePublished": "2024-10-08T15:17:10.178Z",
"dateReserved": "2024-08-27T11:51:30.618Z",
"dateUpdated": "2024-10-08T16:24:35.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7312 (GCVE-0-2024-7312)
Vulnerability from nvd – Published: 2024-09-11 15:28 – Updated: 2024-09-11 19:32
VLAI?
Title
REST Interface Link Redirection via Host parameter
Summary
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Payara Platform Payara Server (REST Management Interface modules) allows Session Hijacking.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.2020.2 before 5.2022.5, from 5.20.0 before 5.67.0, from 4.1.2.191.0 before 4.1.2.191.50.
Severity ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Payara Platform | Payara Server |
Affected:
6.0.0 , < 6.18.0
(semver)
Affected: 6.2022.1 , < 6.2024.9 (semver) Affected: 5.2020.2 , < 5.2022.5 (semver) Affected: 5.20.0 , < 5.67.0 (semver) Affected: 4.1.2.191.0 , < 4.1.2.191.50 (custom) |
Credits
Marco Ventura
Claudia Bartolini
Andrea Carlo Maria Dattola
Debora Esposito
Massimiliano Brolli
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:payara:payara:*:*:*:*:enterprise:*:*:*"
],
"defaultStatus": "unknown",
"product": "payara",
"vendor": "payara",
"versions": [
{
"lessThan": "6.18.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "6.2024.6",
"status": "affected",
"version": "6.2022.1",
"versionType": "semver"
},
{
"lessThan": "5.2022.5",
"status": "affected",
"version": "5.2020.2",
"versionType": "semver"
},
{
"lessThan": "4.1.2.191.50",
"status": "affected",
"version": "4.1.2.191.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T18:12:12.528111Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T18:15:38.837Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"REST Management Interface"
],
"product": "Payara Server",
"vendor": "Payara Platform",
"versions": [
{
"lessThan": "6.18.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "6.2024.9",
"status": "affected",
"version": "6.2022.1",
"versionType": "semver"
},
{
"lessThan": "5.2022.5",
"status": "affected",
"version": "5.2020.2",
"versionType": "semver"
},
{
"lessThan": "5.67.0",
"status": "affected",
"version": "5.20.0",
"versionType": "semver"
},
{
"lessThan": "4.1.2.191.50",
"status": "affected",
"version": "4.1.2.191.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Marco Ventura"
},
{
"lang": "en",
"type": "reporter",
"value": "Claudia Bartolini"
},
{
"lang": "en",
"type": "reporter",
"value": "Andrea Carlo Maria Dattola"
},
{
"lang": "en",
"type": "reporter",
"value": "Debora Esposito"
},
{
"lang": "en",
"type": "reporter",
"value": "Massimiliano Brolli"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Payara Platform Payara Server (REST Management Interface modules) allows Session Hijacking.\u003cp\u003eThis issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.2020.2 before 5.2022.5, from 5.20.0 before 5.67.0, from 4.1.2.191.0 before 4.1.2.191.50.\u003c/p\u003e"
}
],
"value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Payara Platform Payara Server (REST Management Interface modules) allows Session Hijacking.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.2020.2 before 5.2022.5, from 5.20.0 before 5.67.0, from 4.1.2.191.0 before 4.1.2.191.50."
}
],
"impacts": [
{
"capecId": "CAPEC-593",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-593 Session Hijacking"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T19:32:42.844Z",
"orgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"shortName": "Payara"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/enterprise/docs/5.67.0/Release%20Notes/Release%20Notes%205.67.0.html"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.18.0.html"
}
],
"source": {
"discovery": "UPSTREAM"
},
"title": "REST Interface Link Redirection via Host parameter",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"assignerShortName": "Payara",
"cveId": "CVE-2024-7312",
"datePublished": "2024-09-11T15:28:43.452Z",
"dateReserved": "2024-07-30T20:07:31.604Z",
"dateUpdated": "2024-09-11T19:32:42.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41699 (GCVE-0-2023-41699)
Vulnerability from nvd – Published: 2023-11-15 19:54 – Updated: 2024-08-29 17:37
VLAI?
Title
Payara Platform: URL Redirection to untrusted site using FORM authentication
Summary
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Payara Platform Payara Server, Micro and Embedded (Servlet Implementation modules) allows Redirect Access to Libraries.This issue affects Payara Server, Micro and Embedded: from 5.0.0 before 5.57.0, from 4.1.2.191 before 4.1.2.191.46, from 6.0.0 before 6.8.0, from 6.2023.1 before 6.2023.11.
Severity ?
6.1 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Payara Platform | Payara Server, Micro and Embedded |
Affected:
5.0.0 , < 5.57.0
(semver)
Affected: 4.1.2.191 , < 4.1.2.191.46 (semver) Affected: 6.0.0 , < 6.8.0 (semver) Affected: 6.2023.1 , < 6.2023.11 (semver) |
Credits
Hiroki Sawamura from Fujitsu
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:01:35.420Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.8.0.html"
},
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2023.11.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41699",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-29T17:36:42.715958Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T17:37:00.722Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Servlet Implementation"
],
"product": "Payara Server, Micro and Embedded",
"vendor": "Payara Platform",
"versions": [
{
"lessThan": "5.57.0",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
},
{
"lessThan": "4.1.2.191.46",
"status": "affected",
"version": "4.1.2.191",
"versionType": "semver"
},
{
"lessThan": "6.8.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "6.2023.11",
"status": "affected",
"version": "6.2023.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Hiroki Sawamura from Fujitsu"
}
],
"datePublic": "2023-11-16T21:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Payara Platform Payara Server, Micro and Embedded (Servlet Implementation modules) allows Redirect Access to Libraries.\u003cp\u003eThis issue affects Payara Server, Micro and Embedded: from 5.0.0 before 5.57.0, from 4.1.2.191 before 4.1.2.191.46, from 6.0.0 before 6.8.0, from 6.2023.1 before 6.2023.11.\u003c/p\u003e"
}
],
"value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Payara Platform Payara Server, Micro and Embedded (Servlet Implementation modules) allows Redirect Access to Libraries.This issue affects Payara Server, Micro and Embedded: from 5.0.0 before 5.57.0, from 4.1.2.191 before 4.1.2.191.46, from 6.0.0 before 6.8.0, from 6.2023.1 before 6.2023.11.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-159",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-159 Redirect Access to Libraries"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-15T19:57:20.119Z",
"orgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"shortName": "Payara"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.8.0.html"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2023.11.html"
}
],
"source": {
"defect": [
"CVE-2023-41080"
],
"discovery": "INTERNAL"
},
"title": "Payara Platform: URL Redirection to untrusted site using FORM authentication",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"assignerShortName": "Payara",
"cveId": "CVE-2023-41699",
"datePublished": "2023-11-15T19:54:23.590Z",
"dateReserved": "2023-08-30T16:08:29.041Z",
"dateUpdated": "2024-08-29T17:37:00.722Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45129 (GCVE-0-2022-45129)
Vulnerability from nvd – Published: 2022-11-10 00:00 – Updated: 2025-05-01 13:42
VLAI?
Summary
Payara before 2022-11-04, when deployed to the root context, allows attackers to visit META-INF and WEB-INF, a different vulnerability than CVE-2022-37422. This affects Payara Platform Community before 4.1.2.191.38, 5.x before 5.2022.4, and 6.x before 6.2022.1, and Payara Platform Enterprise before 5.45.0.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:01:31.594Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://blog.payara.fish/whats-new-in-the-november-2022-payara-platform-release"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%205.45.0.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%205.2022.4.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://docs.payara.fish/community/docs/6.2022.1/Release%20Notes/Release%20Notes%206.2022.1.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/payara/Payara/commit/cccdfddeda71c78ae7b3179db5429e1bb8a56b2e"
},
{
"name": "20221115 SEC Consult SA-20221114-0 :: Path Traversal Vulnerability in Payara Platform",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/Nov/11"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/169864/Payara-Platform-Path-Traversal.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45129",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T13:41:07.533850Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T13:42:02.196Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Payara before 2022-11-04, when deployed to the root context, allows attackers to visit META-INF and WEB-INF, a different vulnerability than CVE-2022-37422. This affects Payara Platform Community before 4.1.2.191.38, 5.x before 5.2022.4, and 6.x before 6.2022.1, and Payara Platform Enterprise before 5.45.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://blog.payara.fish/whats-new-in-the-november-2022-payara-platform-release"
},
{
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%205.45.0.html"
},
{
"url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%205.2022.4.html"
},
{
"url": "https://docs.payara.fish/community/docs/6.2022.1/Release%20Notes/Release%20Notes%206.2022.1.html"
},
{
"url": "https://github.com/payara/Payara/commit/cccdfddeda71c78ae7b3179db5429e1bb8a56b2e"
},
{
"name": "20221115 SEC Consult SA-20221114-0 :: Path Traversal Vulnerability in Payara Platform",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2022/Nov/11"
},
{
"url": "http://packetstormsecurity.com/files/169864/Payara-Platform-Path-Traversal.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-45129",
"datePublished": "2022-11-10T00:00:00.000Z",
"dateReserved": "2022-11-10T00:00:00.000Z",
"dateUpdated": "2025-05-01T13:42:02.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-37422 (GCVE-0-2022-37422)
Vulnerability from nvd – Published: 2022-08-18 18:02 – Updated: 2024-08-03 10:29
VLAI?
Summary
Payara through 5.2022.2 allows directory traversal without authentication. This affects Payara Server, Payara Micro, and Payara Server Embedded.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:29:20.971Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.payara.fish/downloads/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.payara.fish/august-community-5-release"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Payara through 5.2022.2 allows directory traversal without authentication. This affects Payara Server, Payara Micro, and Payara Server Embedded."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-18T18:02:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.payara.fish/downloads/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.payara.fish/august-community-5-release"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-37422",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Payara through 5.2022.2 allows directory traversal without authentication. This affects Payara Server, Payara Micro, and Payara Server Embedded."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.payara.fish/downloads/",
"refsource": "MISC",
"url": "https://www.payara.fish/downloads/"
},
{
"name": "https://blog.payara.fish/august-community-5-release",
"refsource": "MISC",
"url": "https://blog.payara.fish/august-community-5-release"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-37422",
"datePublished": "2022-08-18T18:02:01",
"dateReserved": "2022-08-05T00:00:00",
"dateUpdated": "2024-08-03T10:29:20.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}