CVE-2023-28462

CRITICAL

Payara Server <5.20.0 - RCE

Title source: llm

Description

A JNDI rebind operation in the default ORB listener in Payara Server 4.1.2.191 (Enterprise), 5.20.0 and newer (Enterprise), and 5.2020.1 and newer (Community), when Java 1.8u181 and earlier is used, allows remote attackers to load malicious code on the server once a JNDI directory scan is performed.

References (1)

[Mitigation, Vendor Advisory] https://blog.payara.fish/vulnerability-affecting-server-environments-on-java-1.8-on-updates-lower-than-1.8u191

Scores

CVSS v3 9.8

EPSS 0.0204

EPSS Percentile 83.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (3)

payara/payara_server < 5.0.0

payara/payara_server

fish.payara.server/payara-aggregator < 6.2022.1.Alpha3Maven

Timeline

Published Mar 30, 2023

Tracked Since Feb 18, 2026