VuXML ID | Description |
22bc5327-f33f-11e8-be46-0019dbb15b3f | payara -- Code execution via crafted PUT requests to JSPs
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP
PUTs enabled (e.g. via setting the readonly initialisation
parameter of the Default to false) it was possible to upload a
JSP file to the server via a specially crafted request. This
JSP could then be requested and any code it contained would be
executed by the server.
Discovery 2017-08-07 Entry 2018-11-28 payara
eq 4.1.2.174
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12615
CVE-2017-12615
|
71c71ce0-0805-11eb-a3a4-0019dbb15b3f | payara -- multiple vulnerabilities
Payara Releases reports:
The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases:
- CVE-2018-14721 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks
- CVE-2018-14720 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct external XML entity (XXE) attacks
- CVE-2018-14719 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code
- CVE-2018-14718 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code
- CVE-2018-14371 Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter
Discovery 2019-02-01 Entry 2020-10-06 payara
< 5.191
CVE-2018-14721
CVE-2018-14720
CVE-2018-14719
CVE-2018-14718
CVE-2018-14371
https://docs.payara.fish/community/docs/5.191/security/security-fix-list.html
|
93f8e0ff-f33d-11e8-be46-0019dbb15b3f | payara -- Default typing issue in Jackson Databind
FasterXML jackson-databind before 2.8.11.1 and 2.9.x before
2.9.5 allows unauthenticated remote code execution because of
an incomplete fix for the CVE-2017-7525 deserialization flaw.
This is exploitable by sending maliciously crafted JSON input
to the readValue method of the ObjectMapper, bypassing a
blacklist that is ineffective if the c3p0 libraries are
available in the classpath.
Discovery 2018-02-26 Entry 2018-11-28 payara
eq 4.1.2.181.3
eq 4.1.2.182
eq 5.181.3
eq 5.182
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489
CVE-2018-7489
|
b07bdd3c-0809-11eb-a3a4-0019dbb15b3f | Payara -- path trasversal flaw via either loc/con parameters in Eclipse Mojarra
Payara Releases reports:
The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases:
- CVE-2020-6950 Eclipse Mojarra vulnerable to path trasversal flaw via either loc/con parameters
Discovery 2020-01-13 Entry 2020-10-06 payara
< 5.201
CVE-2020-6950
https://docs.payara.fish/community/docs/5.2020.4/security/security-fix-list.html
|
bd159669-0808-11eb-a3a4-0019dbb15b3f | Payara -- A Polymorphic Typing issue in FasterXML jackson-databind
Payara Releases reports:
The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases:
- CVE-2019-12086 A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9
Discovery 2019-05-17 Entry 2020-10-06 payara
< 5.193
CVE-2019-12086
https://docs.payara.fish/community/docs/5.193/security/security-fix-list.html
|
d70c9e18-f340-11e8-be46-0019dbb15b3f | payara -- Multiple vulnerabilities
Apache Commons FileUpload before 1.3.3
DiskFileItem File Manipulation Remote Code Execution.
Vulnerability in the Oracle GlassFish Server component of
Oracle Fusion Middleware (subcomponent: Administration).
Supported versions that are affected are 3.0.1 and 3.1.2.
Easily exploitable vulnerability allows low privileged attacker
with logon to the infrastructure where Oracle GlassFish Server
executes to compromise Oracle GlassFish Server. Successful
attacks of this vulnerability can result in unauthorized read
access to a subset of Oracle GlassFish Server accessible data.
CVSS v3.0 Base Score 3.3 (Confidentiality impacts).
Vulnerability in the Oracle GlassFish Server component of Oracle
Fusion Middleware (subcomponent: Core). Supported versions that
are affected are 2.1.1, 3.0.1 and 3.1.2. Easily exploitable
vulnerability allows unauthenticated attacker with network access
via SMTP to compromise Oracle GlassFish Server. Successful
attacks require human interaction from a person other than the
attacker. Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of Oracle
GlassFish Server accessible data. CVSS v3.0 Base Score 4.3
(Integrity impacts).
Vulnerability in the Oracle GlassFish Server component of
Oracle Fusion Middleware (subcomponent: Security). Supported
versions that are affected are 2.1.1, 3.0.1 and 3.1.2.
Easily exploitable vulnerability allows unauthenticated attacker
with network access via LDAP to compromise Oracle GlassFish Server.
Successful attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Oracle GlassFish Server
accessible data as well as unauthorized read access to a subset of
Oracle GlassFish Server accessible data and unauthorized ability
to cause a partial denial of service (partial DOS) of Oracle
GlassFish Server. CVSS v3.0 Base Score 7.3 (Confidentiality,
Integrity and Availability impacts).
Vulnerability in the Oracle GlassFish Server component of Oracle
Fusion Middleware (subcomponent: Security). Supported versions that
are affected are 2.1.1, 3.0.1 and 3.1.2. Easily exploitable
vulnerability allows unauthenticated attacker with network access
via HTTP to compromise Oracle GlassFish Server. Successful attacks
of this vulnerability can result in unauthorized update, insert or
delete access to some of Oracle GlassFish Server accessible data as
well as unauthorized read access to a subset of Oracle GlassFish
Server accessible data and unauthorized ability to cause a partial
denial of service (partial DOS) of Oracle GlassFish Server.
CVSS v3.0 Base Score 7.3 (Confidentiality, Integrity and
Availability impacts).
Vulnerability in the Oracle GlassFish Server component of Oracle
Fusion Middleware (subcomponent: Security). Supported versions that
are affected are 2.1.1, 3.0.1 and 3.1.2. Difficult to exploit
vulnerability allows unauthenticated attacker with network access
via multiple protocols to compromise Oracle GlassFish Server. While
the vulnerability is in Oracle GlassFish Server, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in takeover of Oracle GlassFish Server.
CVSS v3.0 Base Score 9.0 (Confidentiality, Integrity and
Availability impacts).
Discovery 2016-06-16 Entry 2018-11-28 payara
eq 4.1.2.173
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
CVE-2016-1000031
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3239
CVE-2017-3239
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3247
CVE-2017-3247
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3249
CVE-2017-3249
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3250
CVE-2017-3250
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5528
CVE-2016-5528
|