CVE-2022-45129

EUVD-2022-48046
Payara before 2022-11-04, when deployed to the root context, allows attackers to visit META-INF and WEB-INF, a different vulnerability than CVE-2022-37422. This affects Payara Platform Community before 4.1.2.191.38, 5.x before 5.2022.4, and 6.x before 6.2022.1, and Payara Platform Enterprise before 5.45.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 60%
Affected Products (NVD)
VendorProductVersion
payarapayara
𝑥
< 4.1.2.191.38
payarapayara
𝑥
< 5.45.0
payarapayara
5.0.0 ≤
𝑥
< 5.2022.4
payarapayara
6.0.0 ≤
𝑥
< 6.2022.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/169864/Payara-Platform-Path-Traversal.html
http://seclists.org/fulldisclosure/2022/Nov/11
https://blog.payara.fish/whats-new-in-the-november-2022-payara-platform-release
https://docs.payara.fish/community/docs/6.2022.1/Release%20Notes/Release%20Notes%206.2022.1.html
https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%205.2022.4.html
https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%205.45.0.html
https://github.com/payara/Payara/commit/cccdfddeda71c78ae7b3179db5429e1bb8a56b2e
http://packetstormsecurity.com/files/169864/Payara-Platform-Path-Traversal.html
http://seclists.org/fulldisclosure/2022/Nov/11
https://blog.payara.fish/whats-new-in-the-november-2022-payara-platform-release
https://docs.payara.fish/community/docs/6.2022.1/Release%20Notes/Release%20Notes%206.2022.1.html
https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%205.2022.4.html
https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%205.45.0.html
https://github.com/payara/Payara/commit/cccdfddeda71c78ae7b3179db5429e1bb8a56b2e