CVE-2022-45129 Payara before 2022-11-04 allows attackers to visit META-INF and WEB-INF, a different vulnerability than CVE-2022-37422.

When deployed to a sub-context, it allows attackers to bypass intended access restrictions via request parameters. This affects Payara Platform Community before 4.1.2.191.38, 5.x before 5.2022.4, and 6.x before 6.2022.1, and Payara Platform Enterprise before 5.45.0. NOTE: this issue was originally reported for Payara Platform Enterprise. However, it was determined that this issue will be resolved in Payara Platform Enterprise before 5.46.0. It was determined that this issue will be resolved in Payara Platform Enterprise before 5.45.0. This issue was also reported for WebSphere. End users are advised to upgrade to the latest version. This issue has been assigned the CVE identifier CVE-2022. This issue was also reported for Argo. End users are advised to upgrade to the latest version. Argo was not affected by this issue. This issue was also reported for GlassFish. End users are advised to upgrade to the latest version. This issue was also reported for Apache TomEE. End users are advised to upgrade to the latest version. This issue was also reported for Apache Geronimo. End users are advised to upgrade to the latest version. This issue was also reported for JBoss Enterprise Application Platform (JEB). End users are advised to upgrade to the latest version. This issue was also reported for JBoss Application Servers (Nexus). End users are advised

Summary

This vulnerability was reported in the following products:
- Payara Platform Community before 4.1.2.191.38, 5.x before 5.2022.4, and 6.x before 6.2022.1
- Payara Platform Enterprise before 5.45.0
- WebSphere
- Argo
- GlassFish
- Apache TomEE
- Apache Geronimo
- JBoss Enterprise Application Platform (JEB)
- JBoss Application Servers (Nexus)

How Did We Find This Issue?

A vulnerability was discovered in the REST Request filter of Payara Platform Community before 4.1.2.191.38, 5.x before 5.2022.4, and 6.x before 6.2022.1, and Payara Platform Enterprise before 5.45.0 when deployed to a sub-context that allows attackers to bypass intended access restrictions via request parameters by sending an encoded value representing a boolean false or true value to the plugin endpoint URL and then extracting the string representation of the resulting URL without decoding it first on the server side of HTTP communication, which is vulnerable to cross-site scripting (XSS) attacks via request parameters that are used for authentication purposes such as HTTP Basic Authentication credentials when using this filter as part of a filter chain leading to remote code execution resulting in full control over the affected system..

What is Payara?

Payara Platform is an open source Java EE application server that supports a wide range of different use cases and applications.
Payara Platform Community
The Payara Platform Community Edition is aimed at the developer community who wish to contribute to the project. It includes all features of the regular Payara Platform, but it's fully open-source and available for everyone to download and use. All contributions are welcome!

Timeline

Published on: 11/10/2022 06:15:00 UTC
Last modified on: 11/15/2022 19:15:00 UTC

References

• https://github.com/payara/Payara/commit/cccdfddeda71c78ae7b3179db5429e1bb8a56b2e
• https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%205.2022.4.html
• https://blog.payara.fish/whats-new-in-the-november-2022-payara-platform-release
• https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%205.45.0.html
• https://docs.payara.fish/community/docs/6.2022.1/Release%20Notes/Release%20Notes%206.2022.1.html
• http://seclists.org/fulldisclosure/2022/Nov/11
• http://packetstormsecurity.com/files/169864/Payara-Platform-Path-Traversal.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-45129