Description

A JNDI rebind operation in the default ORB listener in Payara Server 4.1.2.191 (Enterprise), 5.20.0 and newer (Enterprise), and 5.2020.1 and newer (Community), when Java 1.8u181 and earlier is used, allows remote attackers to load malicious code on the server once a JNDI directory scan is performed.

Remediation

References

https://blog.payara.fish/vulnerability-affecting-server-environments-on-java-1.8-on-updates-lower-than-1.8u191

Related Vulnerabilities

CVE-2021-41561 Vulnerability in maven package org.apache.parquet:parquet

CVE-2020-6506 Vulnerability in maven package org.webjars.npm:react-native-webview

CVE-2018-17187 Vulnerability in maven package org.apache.qpid:proton-j

CVE-2020-8141 Vulnerability in maven package org.webjars.npm:dot

CVE-2018-14042 Vulnerability in maven package org.fujion.webjars:bootstrap

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mitigation Vendor Advisory NVD-CWE-noinfo