Description

A JNDI rebind operation in the default ORB listener in Payara Server 4.1.2.191 (Enterprise), 5.20.0 and newer (Enterprise), and 5.2020.1 and newer (Community), when Java 1.8u181 and earlier is used, allows remote attackers to load malicious code on the server once a JNDI directory scan is performed.

Remediation

References

https://blog.payara.fish/vulnerability-affecting-server-environments-on-java-1.8-on-updates-lower-than-1.8u191

Related Vulnerabilities

CVE-2021-37579 Vulnerability in maven package org.apache.dubbo:dubbo-common

CVE-2023-39156 Vulnerability in maven package org.jenkins-ci.plugins:bazaar

CVE-2021-21615 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2017-8046 Vulnerability in maven package org.springframework.boot:spring-boot-starter-data-rest

CVE-2013-2186 Vulnerability in maven package commons-fileupload:commons-fileupload

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mitigation Vendor Advisory NVD-CWE-noinfo