Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-28462

A JNDI rebind operation in the default ORB listener in Payara Server 4.1.2.191 (Enterprise), 5.20.0 and newer (Enterprise), and 5.2020.1 and newer (Community), when Java 1.8u181 and earlier is used, allows remote attackers to load malicious code on the server once a JNDI directory scan is performed.

Published

2023-03-30T20:15:07.733

Last Modified

2025-02-18T19:15:11.523

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Type: Primary
NVD-CWE-noinfo
Type: Secondary
CWE-502

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	payara	payara_server	≤ 5.0.0	Yes
Application	payara	payara_server	≥ 5.20.0	Yes
Application	payara	payara_server	≥ 5.2020.1	Yes
Application	oracle	jdk	1.8.0	No

References

https://blog.payara.fish/vulnerability-affecting-server-environments-on-java-1.8-on-updates-lower-than-1.8u191 Mitigation, Vendor Advisory ([email protected])
https://blog.payara.fish/vulnerability-affecting-server-environments-on-java-1.8-on-updates-lower-than-1.8u191 Mitigation, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)