CVE-2023-28462 — Payara Server allows remote attackers to load malicious code on the server once

Description

A JNDI rebind operation in the default ORB listener in Payara Server 4.1.2.191 (Enterprise), 5.20.0 and newer (Enterprise), and 5.2020.1 and newer (Community), when Java 1.8u181 and earlier is used, allows remote attackers to load malicious code on the server once a JNDI directory scan is performed.

How to fix CVE-2023-28462

To remediate CVE-2023-28462, upgrade the affected package to a fixed version below.

—upgrade to 6.2022.1.Alpha3 or later

Is CVE-2023-28462 being exploited?

Low — EPSS is 1.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 5.2020.1, < 6.2022.1.Alpha3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-28462
PATCHgithub.com/payara/Payara
WEBblog.payara.fish/vulnerability-affecting-server-environments-on-java-1.8-on-updates-lower-than-1.8u191