CVE-2024-45687 (GCVE-0-2024-45687)
Vulnerability from cvelistv5 – Published: 2025-01-21 16:35 – Updated: 2025-02-12 20:41
VLAI?
Summary
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in Payara Platform Payara Server (Grizzly, REST Management Interface modules), Payara Platform Payara Micro (Grizzly modules) allows Manipulating State, Identity Spoofing.This issue affects Payara Server: from 4.1.151 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0; Payara Micro: from 4.1.152 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0.
Severity ?
CWE
- CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Payara Platform | Payara Server |
Affected:
4.1.151 , ≤ 4.1.2.191.51
(custom)
Affected: 5.20.0 , ≤ 5.70.0 (semver) Affected: 5.2020.2 , ≤ 5.2022.5 (semver) Affected: 6.2022.1 , ≤ 6.2024.12 (semver) Affected: 6.0.0 , ≤ 6.21.0 (semver) |
|||||||
|
|||||||||
Credits
Ben Kallus
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45687",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T17:16:04.924874Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:21.565Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Grizzly",
"REST Management Interface"
],
"product": "Payara Server",
"vendor": "Payara Platform",
"versions": [
{
"lessThanOrEqual": "4.1.2.191.51",
"status": "affected",
"version": "4.1.151",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.70.0",
"status": "affected",
"version": "5.20.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.2022.5",
"status": "affected",
"version": "5.2020.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2024.12",
"status": "affected",
"version": "6.2022.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.21.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"Grizzly"
],
"product": "Payara Micro",
"vendor": "Payara Platform",
"versions": [
{
"lessThanOrEqual": "4.1.2.191.51",
"status": "affected",
"version": "4.1.152",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.70.0",
"status": "affected",
"version": "5.20.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.2022.5",
"status": "affected",
"version": "5.2020.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2024.12",
"status": "affected",
"version": "6.2022.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.21.0",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Ben Kallus"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027) vulnerability in Payara Platform Payara Server (Grizzly, REST Management Interface modules), Payara Platform Payara Micro (Grizzly modules) allows Manipulating State, Identity Spoofing.\u003cp\u003eThis issue affects Payara Server: from 4.1.151 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0; Payara Micro: from 4.1.152 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027) vulnerability in Payara Platform Payara Server (Grizzly, REST Management Interface modules), Payara Platform Payara Micro (Grizzly modules) allows Manipulating State, Identity Spoofing.This issue affects Payara Server: from 4.1.151 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0; Payara Micro: from 4.1.152 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0."
}
],
"impacts": [
{
"capecId": "CAPEC-74",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-74 Manipulating State"
}
]
},
{
"capecId": "CAPEC-151",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-151 Identity Spoofing"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 2.4,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-113",
"description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-21T16:35:43.932Z",
"orgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"shortName": "Payara"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.22.0.html"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/enterprise/docs/5.71.0/Release%20Notes/Release%20Notes%205.71.0.html"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.payara.fish/community/docs/6.2025.1/Release%20Notes/Release%20Notes%206.2025.1.html"
}
],
"source": {
"discovery": "UPSTREAM"
},
"title": "HTTP Server incorrectly accepting disallowed characters within header values",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
"assignerShortName": "Payara",
"cveId": "CVE-2024-45687",
"datePublished": "2025-01-21T16:35:43.932Z",
"dateReserved": "2024-09-04T15:55:26.099Z",
"dateUpdated": "2025-02-12T20:41:21.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-45687\",\"sourceIdentifier\":\"769c9ae7-73c3-4e47-ae19-903170fc3eb8\",\"published\":\"2025-01-21T17:15:14.073\",\"lastModified\":\"2025-01-21T17:15:14.073\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027) vulnerability in Payara Platform Payara Server (Grizzly, REST Management Interface modules), Payara Platform Payara Micro (Grizzly modules) allows Manipulating State, Identity Spoofing.This issue affects Payara Server: from 4.1.151 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0; Payara Micro: from 4.1.152 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de neutralizaci\u00f3n incorrecta de secuencias CRLF en encabezados HTTP (\u0027Divisi\u00f3n de solicitud/respuesta HTTP\u0027) en Payara Platform Payara Server (Grizzly, m\u00f3dulos de interfaz de administraci\u00f3n REST), Payara Platform Payara Micro (m\u00f3dulos Grizzly) permite manipular el estado y suplantar la identidad. Este problema afecta a Payara Server: desde la versi\u00f3n 4.1.151 hasta la 4.1.2.191.51, desde la versi\u00f3n 5.20.0 hasta la 5.70.0, desde la versi\u00f3n 5.2020.2 hasta la 5.2022.5, desde la versi\u00f3n 6.2022.1 hasta la 6.2024.12, desde la versi\u00f3n 6.0.0 hasta la 6.21.0; Payara Micro: de 4.1.152 a 4.1.2.191.51, de 5.20.0 a 5.70.0, de 5.2020.2 a 5.2022.5, de 6.2022.1 a 6.2024.12, de 6.0.0 a 6.21.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"769c9ae7-73c3-4e47-ae19-903170fc3eb8\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":2.4,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NEGLIGIBLE\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"769c9ae7-73c3-4e47-ae19-903170fc3eb8\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-113\"}]}],\"references\":[{\"url\":\"https://docs.payara.fish/community/docs/6.2025.1/Release%20Notes/Release%20Notes%206.2025.1.html\",\"source\":\"769c9ae7-73c3-4e47-ae19-903170fc3eb8\"},{\"url\":\"https://docs.payara.fish/enterprise/docs/5.71.0/Release%20Notes/Release%20Notes%205.71.0.html\",\"source\":\"769c9ae7-73c3-4e47-ae19-903170fc3eb8\"},{\"url\":\"https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.22.0.html\",\"source\":\"769c9ae7-73c3-4e47-ae19-903170fc3eb8\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-45687\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-21T17:16:04.924874Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-12T20:33:04.809Z\"}}], \"cna\": {\"title\": \"HTTP Server incorrectly accepting disallowed characters within header values\", \"source\": {\"discovery\": \"UPSTREAM\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Ben Kallus\"}], \"impacts\": [{\"capecId\": \"CAPEC-74\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-74 Manipulating State\"}]}, {\"capecId\": \"CAPEC-151\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-151 Identity Spoofing\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NEGLIGIBLE\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 2.4, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"LOCAL\", \"baseSeverity\": \"LOW\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Payara Platform\", \"modules\": [\"Grizzly\", \"REST Management Interface\"], \"product\": \"Payara Server\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.1.151\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.1.2.191.51\"}, {\"status\": \"affected\", \"version\": \"5.20.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.70.0\"}, {\"status\": \"affected\", \"version\": \"5.2020.2\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.2022.5\"}, {\"status\": \"affected\", \"version\": \"6.2022.1\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.2024.12\"}, {\"status\": \"affected\", \"version\": \"6.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.21.0\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Payara Platform\", \"modules\": [\"Grizzly\"], \"product\": \"Payara Micro\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.1.152\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.1.2.191.51\"}, {\"status\": \"affected\", \"version\": \"5.20.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.70.0\"}, {\"status\": \"affected\", \"version\": \"5.2020.2\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.2022.5\"}, {\"status\": \"affected\", \"version\": \"6.2022.1\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.2024.12\"}, {\"status\": \"affected\", \"version\": \"6.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.21.0\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.22.0.html\", \"tags\": [\"release-notes\"]}, {\"url\": \"https://docs.payara.fish/enterprise/docs/5.71.0/Release%20Notes/Release%20Notes%205.71.0.html\", \"tags\": [\"release-notes\"]}, {\"url\": \"https://docs.payara.fish/community/docs/6.2025.1/Release%20Notes/Release%20Notes%206.2025.1.html\", \"tags\": [\"release-notes\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027) vulnerability in Payara Platform Payara Server (Grizzly, REST Management Interface modules), Payara Platform Payara Micro (Grizzly modules) allows Manipulating State, Identity Spoofing.This issue affects Payara Server: from 4.1.151 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0; Payara Micro: from 4.1.152 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027) vulnerability in Payara Platform Payara Server (Grizzly, REST Management Interface modules), Payara Platform Payara Micro (Grizzly modules) allows Manipulating State, Identity Spoofing.\u003cp\u003eThis issue affects Payara Server: from 4.1.151 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0; Payara Micro: from 4.1.152 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-113\", \"description\": \"CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"769c9ae7-73c3-4e47-ae19-903170fc3eb8\", \"shortName\": \"Payara\", \"dateUpdated\": \"2025-01-21T16:35:43.932Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-45687\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-12T20:41:21.565Z\", \"dateReserved\": \"2024-09-04T15:55:26.099Z\", \"assignerOrgId\": \"769c9ae7-73c3-4e47-ae19-903170fc3eb8\", \"datePublished\": \"2025-01-21T16:35:43.932Z\", \"assignerShortName\": \"Payara\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…