GHSA-xc93-587g-mxm7

Suggest an improvement
Source
https://github.com/advisories/GHSA-xc93-587g-mxm7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-xc93-587g-mxm7/GHSA-xc93-587g-mxm7.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-xc93-587g-mxm7
Aliases
  • CVE-2023-28462
Published
2023-03-30T21:30:21Z
Modified
2023-11-08T04:12:11.630330Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Payara Server allows remote attackers to load malicious code on the server once a JNDI directory scan is performed
Details

A JNDI rebind operation in the default ORB listener in Payara Server 4.1.2.191 (Enterprise), 5.20.0 and newer (Enterprise), and 5.2020.1 and newer (Community), when Java 1.8u181 and earlier is used, allows remote attackers to load malicious code on the server once a JNDI directory scan is performed.

Database specific 
{
    "nvd_published_at": "2023-03-30T20:15:00Z",
    "cwe_ids": [],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-10T16:38:33Z"
}
References

Affected packages

Maven / fish.payara.server:payara-aggregator

Package

Name
fish.payara.server:payara-aggregator
View open source insights on deps.dev
Purl
pkg:maven/fish.payara.server/payara-aggregator

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.2020.1
Fixed
6.2022.1.Alpha3