CVE-2023-28462: Payara Server allows remote attackers to load malicious code on the server once a JNDI directory scan is performed

March 30, 2023 (updated April 10, 2023)

A JNDI rebind operation in the default ORB listener in Payara Server 4.1.2.191 (Enterprise), 5.20.0 and newer (Enterprise), and 5.2020.1 and newer (Community), when Java 1.8u181 and earlier is used, allows remote attackers to load malicious code on the server once a JNDI directory scan is performed.

References

blog.payara.fish/vulnerability-affecting-server-environments-on-java-1.8-on-updates-lower-than-1.8u191
github.com/advisories/GHSA-xc93-587g-mxm7
nvd.nist.gov/vuln/detail/CVE-2023-28462

Detect and mitigate CVE-2023-28462 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →