Description

A JNDI rebind operation in the default ORB listener in Payara Server 4.1.2.191 (Enterprise), 5.20.0 and newer (Enterprise), and 5.2020.1 and newer (Community), when Java 1.8u181 and earlier is used, allows remote attackers to load malicious code on the server once a JNDI directory scan is performed.

Remediation

References

https://blog.payara.fish/vulnerability-affecting-server-environments-on-java-1.8-on-updates-lower-than-1.8u191

Related Vulnerabilities

CVE-2017-16153 Vulnerability in npm package gaoxuyan

CVE-2018-1000182 Vulnerability in maven package org.jenkins-ci.plugins:git

CVE-2019-10434 Vulnerability in maven package com.mtvi.plateng.hudson:ldapemail

CVE-2023-34238 Vulnerability in npm package gatsby

CVE-2022-29040 Vulnerability in maven package org.jenkins-ci.plugins:git-parameter

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mitigation Vendor Advisory NVD-CWE-noinfo