Lucene search

[email protected]CVE-2023-28462

HistoryMar 30, 2023 - 8:15 p.m.

CVE-2023-28462

2023-03-3020:15:07

[email protected]

web.nvd.nist.gov

cve-2023-28462

jndi

orb listener

payara server

remote code execution

security vulnerability

nvd

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

61.5%

JSON

A JNDI rebind operation in the default ORB listener in Payara Server 4.1.2.191 (Enterprise), 5.20.0 and newer (Enterprise), and 5.2020.1 and newer (Community), when Java 1.8u181 and earlier is used, allows remote attackers to load malicious code on the server once a JNDI directory scan is performed.

Affected configurations

NVD

Node

payarapayara_serverRange4.1.2.191–5.0.0enterprise

payarapayara_serverRange5.20.0≥enterprise

payarapayara_serverRange5.2020.1≥community

AND

oraclejdkMatch1.8.0update181

CPENameOperatorVersion
payara:payara_serverpayara payara serverle5.0.0
payara:payara_serverpayara payara servereq*

CPE	Name	Operator	Version
payara:payara_server	payara payara server	le	5.0.0
payara:payara_server	payara payara server	eq	*

References

blog.payara.fish/vulnerability-affecting-server-environments-on-java-1.8-on-updates-lower-than-1.8u191

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

61.5%

JSON

Related for CVE-2023-28462

prion1 cvelist1 github1 osv1 nvd1