Description

A JNDI rebind operation in the default ORB listener in Payara Server 4.1.2.191 (Enterprise), 5.20.0 and newer (Enterprise), and 5.2020.1 and newer (Community), when Java 1.8u181 and earlier is used, allows remote attackers to load malicious code on the server once a JNDI directory scan is performed.

Remediation

References

https://blog.payara.fish/vulnerability-affecting-server-environments-on-java-1.8-on-updates-lower-than-1.8u191

Related Vulnerabilities

CVE-2022-1274 Vulnerability in maven package org.keycloak:keycloak-themes

CVE-2023-25766 Vulnerability in maven package org.jenkins-ci.plugins:azure-credentials

CVE-2022-35924 Vulnerability in npm package next-auth

CVE-2020-2217 Vulnerability in maven package org.jenkins-ci.plugins:compatibility-action-storage

CVE-2014-2066 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mitigation Vendor Advisory NVD-CWE-noinfo