Description

A JNDI rebind operation in the default ORB listener in Payara Server 4.1.2.191 (Enterprise), 5.20.0 and newer (Enterprise), and 5.2020.1 and newer (Community), when Java 1.8u181 and earlier is used, allows remote attackers to load malicious code on the server once a JNDI directory scan is performed.

Remediation

References

https://blog.payara.fish/vulnerability-affecting-server-environments-on-java-1.8-on-updates-lower-than-1.8u191

Related Vulnerabilities

CVE-2017-5653 Vulnerability in maven package org.apache.cxf:cxf-rt-rs-security-xml

CVE-2021-40822 Vulnerability in maven package org.geoserver:gs-main

CVE-2023-44483 Vulnerability in maven package org.apache.santuario:xmlsec

CVE-2020-11022 Vulnerability in maven package org.fujion.webjars:jquery

CVE-2020-2224 Vulnerability in maven package org.jenkins-ci.plugins:matrix-project

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mitigation Vendor Advisory NVD-CWE-noinfo