PT-2025-2727 · Payara · Payara Micro+1
Ben Kallus
·
Publicado
2025-01-21
·
Atualizado
2025-01-21
·
CVE-2024-45687
CVSS v4.0
2.4
Baixa
| Vetor | AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions:
Payara Server versions 4.1.151 through 4.1.2.191.51
Payara Server versions 5.20.0 through 5.70.0
Payara Server versions 5.2020.2 through 5.2022.5
Payara Server versions 6.2022.1 through 6.2024.12
Payara Server versions 6.0.0 through 6.21.0
Payara Micro versions 4.1.152 through 4.1.2.191.51
Payara Micro versions 5.20.0 through 5.70.0
Payara Micro versions 5.2020.2 through 5.2022.5
Payara Micro versions 6.2022.1 through 6.2024.12
Payara Micro versions 6.0.0 through 6.21.0
Description:
The issue affects the Payara Platform, specifically Payara Server and Payara Micro, allowing for Manipulating State and Identity Spoofing due to an Improper Neutralization of CRLF Sequences in HTTP Headers, also known as 'HTTP Request/Response Splitting'.
Recommendations:
For Payara Server versions 4.1.151 through 4.1.2.191.51, update to a version outside of this range to resolve the issue.
For Payara Server versions 5.20.0 through 5.70.0, update to a version outside of this range to resolve the issue.
For Payara Server versions 5.2020.2 through 5.2022.5, update to a version outside of this range to resolve the issue.
For Payara Server versions 6.2022.1 through 6.2024.12, update to a version outside of this range to resolve the issue.
For Payara Server versions 6.0.0 through 6.21.0, update to a version outside of this range to resolve the issue.
For Payara Micro versions 4.1.152 through 4.1.2.191.51, update to a version outside of this range to resolve the issue.
For Payara Micro versions 5.20.0 through 5.70.0, update to a version outside of this range to resolve the issue.
For Payara Micro versions 5.2020.2 through 5.2022.5, update to a version outside of this range to resolve the issue.
For Payara Micro versions 6.2022.1 through 6.2024.12, update to a version outside of this range to resolve the issue.
For Payara Micro versions 6.0.0 through 6.21.0, update to a version outside of this range to resolve the issue.
As a temporary workaround, consider disabling the
Grizzly and REST Management Interface modules until a patch is available.
Restrict access to the vulnerable Grizzly modules to minimize the risk of exploitation.Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Payara Micro
Payara Server