Security Fixes Summary

The following is a list of tracked Common Vulnerabilities and Exposures that have been reported and analyzed, which can or have impacted Payara Server across releases:

ID CVSS v3.0 Base Score Status Summary Release Observations

ID	CVSS v3.0 Base Score	Status	Summary	Release	Observations
CVE-2021-40690	7.5	FIXED	The "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element, allowing abuse of an XPath Transform to extract any local .xml files in a RetrievalMethod element.	5.34.0	Fixed by upgrading Apache Santuario to 2.2.3
CVE-2018-10054	6.5	FIXED	Remote code execution vulnerability in H2 DB because CREATE ALIAS can execute arbitrary Java code	5.32.0	Fixed by upgrading H2 DB to 1.4.200
CVE-2018-14335	4.0	FIXED	Insecure handling of permissions in the backup function of the H2 DB	5.32.0	Fixed by upgrading H2 DB to 1.4.200
CVE-2021-41381	5.3	FIXED	Improper Limitation of a pathname to a restricted directory (exposes an application to "Path Traversal") when context root is /	5.31.0	Recommended to immediately upgrade to this release if any of your applications is deployed on the / context root on Payara Server or Payara Micro
CVE-2020-25649	7.5	FIXED	A flaw in FasterXML Jackson Databind 2.10.2 allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.	5.30.0	Fixed by upgrading Jackson Databind to 2.12.4
CVE-2021-31684	7.5	FIXED	A vulnerability in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.	5.30.0	Fixed by upgrading JSON Smart to 2.4.7
CVE-2021-28170	5.3	FIXED	A bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid	5.29.0	Fixed by backporting a fix from the latest Jakarta Expression Language snapshot version
CVE-2020-10693	5.3	FIXED	A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls.	5.23.1	Fixed by upgrading Hibernate Validator to 6.1.5
CVE-2019-17195	9.8	FIXED	Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.	5.21.2	Fixed by upgrading Nimbus JOSE+JWT to 8.20
CVE-2020-6950	7.5	FIXED	Eclipse Mojarra vulnerable to path trasversal flaw via either loc/con parameters	5.201	Fixed by upgrading Mojarra to 2.3.14
CVE-2019-12086	7.5	FIXED	A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9	5.193, 5.192.1, 5.191.4
CVE-2018-14721	10.0	FIXED	FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks	5.191, 5.184.1, 5.181.10, 4.1.2.191, 4.1.2.184.1, 4.1.2.181.10	Fixed in FasterXML Jackson 2.9.7, component updated
CVE-2018-14720	9.8	FIXED	FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct external XML entity (XXE) attacks	5.191, 5.184.1, 5.181.10, 4.1.2.191, 4.1.2.184.1, 4.1.2.181.10	Fixed in FasterXML Jackson 2.9.7, component updated
CVE-2018-14719	9.8	FIXED	FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code	5.191, 5.184.1, 5.181.10, 4.1.2.191, 4.1.2.184.1, 4.1.2.181.10	Fixed in FasterXML Jackson 2.9.7, component updated
CVE-2018-14718	9.8	FIXED	FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code	5.191, 5.184.1, 5.181.10, 4.1.2.191, 4.1.2.184.1, 4.1.2.181.10	Fixed in FasterXML Jackson 2.9.7, component updated
CVE-2018-14371	7.5	FIXED	Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter.	5.191, 5.184.1, 5.181.10	Fixed in Eclipse Mojarra 2.3.9, component updated
CVE-2018-7489	9.8	FIXED	Default typing issue in Jackson Databind	4.1.2.181.3, 4.1.2.182, 5.181.3, 5.182	Fixed in Jackson Databind 2.9.5, component updated
CVE-2017-12616	7.5	N/A	Apache Tomcat security constraint bypass and VirtualDirContext vulnerability		Unrelated to Payara Server
CVE-2017-12615	8.1	FIXED	Apache Tomcat vulnerability on Windows allowed for remote code execution via crafted PUT requests to JSPs	4.1.2.174	Fixed in Apache Tomcat, ported to Payara Server
CVE-2016-1000031	9.8	FIXED	Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution	4.1.2.173
CVE-2017-3239	3.3	FIXED	Oracle GlassFish Server Local Security Vulnerability	4.1.2.173	Fixed in GlassFish 5 code, ported to Payara Server
CVE-2017-3247	4.3	FIXED	Oracle GlassFish Server Remote Security Vulnerability	4.1.2.173	Fixed in GlassFish 5 code, ported to Payara Server
CVE-2017-3249	7.3	FIXED	Oracle GlassFish Server Remote Security Vulnerability	4.1.2.173	Fixed in GlassFish 5 code, ported to Payara Server
CVE-2017-3250	7.3	FIXED	Oracle GlassFish Server Remote Security Vulnerability	4.1.2.173	Fixed in GlassFish 5 code, ported to Payara Server
CVE-2016-5528	9.0	FIXED	Oracle GlassFish Server Remote Security Vulnerability	4.1.2.173	Fixed in GlassFish 5 code, ported to Payara Server
CVE-2016-5519	8.8	N/A	Oracle GlassFish Server vulnerability in Oracle Fusion Middleware		Affects an older version of GlassFish but not Payara Server
CVE-2007-6726	N/A (V2: 4.3)	FIXED	XSS Vulnerabilities in Dojo libraries used for admin console	4.1.1.163
CVE-2012-2098	N/A (V2: 5.0)	FIXED	Apache Commons Compress bzip2 vulnerability allows DDoS attacks	4.1.1.163
CVE-2013-2035	N/A (V2: 4.4)	FIXED	Race condition in outdated jLine code allows arbitrary code execution	4.1.1.171
CVE-2014-0050	N/A (V2: 7.5)	FIXED	Apache Commons FileUpload allows DDoS attacks via crafted `Content-Type` headers	4.1.1.154.1
CVE-2015-0254	N/A (V2: 7.5)	N/A	Vulnerabilities on Apache JSTL allows arbitrary code injection		Payara Server uses the `FEATURE_SECURE_PROCESSING` feature of JAXP so is not affected
CVE-2015-3237	N/A (V2: 6.4)	N/A	Vulnerabilities in smb_request_state function in cURL		Payara Server doesn’t ship with either cURL or licurl so it’s not affected
CVE-2015-5346	8.1	N/A	Apache Tomcat Vulnerability in session recycling for SSL requests		Payara Server implementation of the Request class doesn’t contain the problematic variable being recycled
CVE-2015-5351	8.8	N/A	Apache Tomcat Manager Applications Session and CSRF token vulnerabilities		Unrelated to Payara Server since this affects specific Tomcat applications
CVE-2016-0706	4.3	N/A	Apache Tomcat Vulnerability on `StatusManagerServlet` component allows reads of HTTP requests and discover session IDs		Payara Server doesn’t use the `StatusManagerServlet` component so it’s not affected
CVE-2016-0714	8.8	N/A	Session persistence in Apache Tomcat allows arbitrary code injection		Payara Server doesn’t use the affected objects in the same way that Tomcat does so the flaw is not present
CVE-2016-0763	6.3	FIXED	Vulnerability in `ResourceLinkFactory.setGlobalContext` method on Apache Tomcat	4.1.1.164.1
CVE-2016-3092	7.5	FIXED	Apache Commons FileUpload allows DDoS attacks via `Multipart` class	4.1.1.163
CVE-2016-3427	9.0	FIXED	Unspecified vulnerability in various versions of the Oracle JDK and JRockit	4.1.1.164.1
CVE-2016-3607	9.8	FIXED	Unspecified vulnerability on Oracle GlassFish 3.0+ affects confidentiality	4.1.1.163
CVE-2016-3608	5.8	N/A	Unspecified vulnerability on Oracle GlassFish 3.0.1 affects confidentiality		Affects an older version of GlassFish but not Payara Server
CVE-2016-5388	8.1	FIXED	Apache Tomcat does not protect applications from untrusted data when using the CGI Servlet	4.1.1.163.1
CVE-2016-5477	5.8	N/A	Unspecified vulnerability on Oracle GlassFish 3.0.1 affects confidentiality		Affects an older version of GlassFish but not Payara Server
CVE-2016-5519	8.8	N/A	Unspecified vulnerability on JSF implementation for Oracle Glassfish 3.0+		Affects an older version of GlassFish but not Payara Server
CVE-2016-6816	7.1	N/A	Apache Tomcat HTTP request parsing vulnerability allow injection of data into reponse		Payara Server doesn’t have included the Coyote components affected
CVE-2017-1000028	7.5	FIXED	Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request.	4.1.1.161	Fixed by patching Woodstock

CVE-2021-40690

7.5

FIXED

The "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element, allowing abuse of an XPath Transform to extract any local .xml files in a RetrievalMethod element.

5.34.0

Fixed by upgrading Apache Santuario to 2.2.3

CVE-2018-10054

6.5

FIXED

Remote code execution vulnerability in H2 DB because CREATE ALIAS can execute arbitrary Java code

5.32.0

Fixed by upgrading H2 DB to 1.4.200

CVE-2018-14335

4.0

FIXED

Insecure handling of permissions in the backup function of the H2 DB

5.32.0

Fixed by upgrading H2 DB to 1.4.200

CVE-2021-41381

5.3

FIXED

Improper Limitation of a pathname to a restricted directory (exposes an application to "Path Traversal") when context root is /

5.31.0

Recommended to immediately upgrade to this release if any of your applications is deployed on the / context root on Payara Server or Payara Micro

CVE-2020-25649

7.5

FIXED

A flaw in FasterXML Jackson Databind 2.10.2 allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

5.30.0

Fixed by upgrading Jackson Databind to 2.12.4

CVE-2021-31684

7.5

FIXED

A vulnerability in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.

5.30.0

Fixed by upgrading JSON Smart to 2.4.7

CVE-2021-28170

5.3

FIXED

A bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid

5.29.0

Fixed by backporting a fix from the latest Jakarta Expression Language snapshot version

CVE-2020-10693

5.3

FIXED

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls.

5.23.1

Fixed by upgrading Hibernate Validator to 6.1.5

CVE-2019-17195

9.8

FIXED

Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.

5.21.2

Fixed by upgrading Nimbus JOSE+JWT to 8.20

CVE-2020-6950

7.5

FIXED

Eclipse Mojarra vulnerable to path trasversal flaw via either loc/con parameters

5.201

Fixed by upgrading Mojarra to 2.3.14

CVE-2019-12086

7.5

FIXED

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9

5.193, 5.192.1, 5.191.4

CVE-2018-14721

10.0

FIXED

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks

5.191, 5.184.1, 5.181.10, 4.1.2.191, 4.1.2.184.1, 4.1.2.181.10

Fixed in FasterXML Jackson 2.9.7, component updated

CVE-2018-14720

9.8

FIXED

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct external XML entity (XXE) attacks

5.191, 5.184.1, 5.181.10, 4.1.2.191, 4.1.2.184.1, 4.1.2.181.10

Fixed in FasterXML Jackson 2.9.7, component updated

CVE-2018-14719

9.8

FIXED

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code

5.191, 5.184.1, 5.181.10, 4.1.2.191, 4.1.2.184.1, 4.1.2.181.10

Fixed in FasterXML Jackson 2.9.7, component updated

CVE-2018-14718

9.8

FIXED

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code

5.191, 5.184.1, 5.181.10, 4.1.2.191, 4.1.2.184.1, 4.1.2.181.10

Fixed in FasterXML Jackson 2.9.7, component updated

CVE-2018-14371

7.5

FIXED

Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter.

5.191, 5.184.1, 5.181.10

Fixed in Eclipse Mojarra 2.3.9, component updated

CVE-2018-7489

9.8

FIXED

Default typing issue in Jackson Databind

4.1.2.181.3, 4.1.2.182, 5.181.3, 5.182

Fixed in Jackson Databind 2.9.5, component updated

CVE-2017-12616

7.5

N/A

Apache Tomcat security constraint bypass and VirtualDirContext vulnerability

Unrelated to Payara Server

CVE-2017-12615

8.1

FIXED

Apache Tomcat vulnerability on Windows allowed for remote code execution via crafted PUT requests to JSPs

4.1.2.174

Fixed in Apache Tomcat, ported to Payara Server

CVE-2016-1000031

9.8

FIXED

Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution

4.1.2.173

CVE-2017-3239

3.3

FIXED

Oracle GlassFish Server Local Security Vulnerability

4.1.2.173