CVE-2024-8215 – Payload Injection Attack via Management REST interface
https://notcve.org/view.php?id=CVE-2024-8215
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Payara Platform Payara Server (Admin Console modules) allows Remote Code Inclusion.This issue affects Payara Server: from 5.20.0 before 5.68.0, from 6.0.0 before 6.19.0, from 6.2022.1 before 6.2024.10, from 4.1.2.191.1 before 4.1.2.191.51. • https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2024.10.html https://docs.payara.fish/enterprise/docs/5.68.0/Release%20Notes/Release%20Notes%205.68.0.html https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.19.0.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-8097 – Sensitive information exposure when the org.glassfish.admingui LOGGER is set to FINEST level
https://notcve.org/view.php?id=CVE-2024-8097
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Payara Platform Payara Server (Logging modules) allows Sensitive credentials posted in plain-text on the server log.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.20.0 before 5.67.0, from 5.2020.2 before 5.2022.5, from 4.1.2.191.0 before 4.1.2.191.50. • https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2024.9.html https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.18.0.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2024-7312 – REST Interface Link Redirection via Host parameter
https://notcve.org/view.php?id=CVE-2024-7312
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Payara Platform Payara Server (REST Management Interface modules) allows Session Hijacking.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.2020.2 before 5.2022.5, from 5.20.0 before 5.67.0, from 4.1.2.191.0 before 4.1.2.191.50. • https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%205.67.0.html https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.18.0.html https://docs.payara.fish/enterprise/docs/5.67.0/Release%20Notes/Release%20Notes%205.67.0.html • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2023-28462
https://notcve.org/view.php?id=CVE-2023-28462
A JNDI rebind operation in the default ORB listener in Payara Server 4.1.2.191 (Enterprise), 5.20.0 and newer (Enterprise), and 5.2020.1 and newer (Community), when Java 1.8u181 and earlier is used, allows remote attackers to load malicious code on the server once a JNDI directory scan is performed. • https://blog.payara.fish/vulnerability-affecting-server-environments-on-java-1.8-on-updates-lower-than-1.8u191 •