CVE-2023-41699 - OpenCVE

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Payara Platform Payara Server, Micro and Embedded (Servlet Implementation modules) allows Redirect Access to Libraries.This issue affects Payara Server, Micro and Embedded: from 5.0.0 before 5.57.0, from 4.1.2.191 before 4.1.2.191.46, from 6.0.0 before 6.8.0, from 6.2023.1 before 6.2023.11.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Payara	Payara

Configuration 1 [-]

OR	cpe:2.3:a:payara:payara:::::community:::*
	cpe:2.3:a:payara:payara:::::enterprise:::*
	cpe:2.3:a:payara:payara:::::enterprise:::*
	cpe:2.3:a:payara:payara:::::community:::*

References

Link	Resource
https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2023.11.html	Release Notes
https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.8.0.html	Release Notes

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Payara

Published: 2023-11-15T19:54:23.590Z

Updated: 2023-11-15T19:57:20.119Z

Reserved: 2023-08-30T16:08:29.041Z

Link: CVE-2023-41699

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-11-15T20:15:07.580

Modified: 2023-11-23T03:41:18.107

Link: CVE-2023-41699

JSON object: View

Redhat Information

No data.

CWE

CWE-601

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-41699", "assignerOrgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "state": "PUBLISHED", "assignerShortName": "Payara", "dateReserved": "2023-08-30T16:08:29.041Z", "datePublished": "2023-11-15T19:54:23.590Z", "dateUpdated": "2023-11-15T19:57:20.119Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["Servlet Implementation"], "product": "Payara Server, Micro and Embedded", "vendor": "Payara Platform", "versions": [{"lessThan": "5.57.0", "status": "affected", "version": "5.0.0", "versionType": "semver"}, {"lessThan": "4.1.2.191.46", "status": "affected", "version": "4.1.2.191", "versionType": "semver"}, {"lessThan": "6.8.0", "status": "affected", "version": "6.0.0", "versionType": "semver"}, {"lessThan": "6.2023.11", "status": "affected", "version": "6.2023.1", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Hiroki Sawamura from Fujitsu"}], "datePublic": "2023-11-16T21:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Payara Platform Payara Server, Micro and Embedded (Servlet Implementation modules) allows Redirect Access to Libraries.<p>This issue affects Payara Server, Micro and Embedded: from 5.0.0 before 5.57.0, from 4.1.2.191 before 4.1.2.191.46, from 6.0.0 before 6.8.0, from 6.2023.1 before 6.2023.11.</p>"}], "value": "URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Payara Platform Payara Server, Micro and Embedded (Servlet Implementation modules) allows Redirect Access to Libraries.This issue affects Payara Server, Micro and Embedded: from 5.0.0 before 5.57.0, from 4.1.2.191 before 4.1.2.191.46, from 6.0.0 before 6.8.0, from 6.2023.1 before 6.2023.11.\n\n"}], "impacts": [{"capecId": "CAPEC-159", "descriptions": [{"lang": "en", "value": "CAPEC-159 Redirect Access to Libraries"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "shortName": "Payara", "dateUpdated": "2023-11-15T19:57:20.119Z"}, "references": [{"tags": ["release-notes"], "url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.8.0.html"}, {"tags": ["release-notes"], "url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2023.11.html"}], "source": {"defect": ["CVE-2023-41080"], "discovery": "INTERNAL"}, "title": "Payara Platform: URL Redirection to untrusted site using FORM authentication", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:community:*:*:*", "matchCriteriaId": "ADFB7392-9992-4248-BDAB-2320A4C59274", "versionEndExcluding": "4.1.2.191.46", "versionStartIncluding": "4.1.2.191", "vulnerable": true}, {"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "A4D9499F-D000-47D3-93ED-853F62375552", "versionEndExcluding": "5.57.0", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "0DAE4FFA-8969-4B46-8D23-D3B513FFE294", "versionEndExcluding": "6.8.0", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:community:*:*:*", "matchCriteriaId": "58FBC93E-5A50-436A-98D9-11F4D12AEB4B", "versionEndExcluding": "6.2023.11", "versionStartIncluding": "6.2023.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Payara Platform Payara Server, Micro and Embedded (Servlet Implementation modules) allows Redirect Access to Libraries.This issue affects Payara Server, Micro and Embedded: from 5.0.0 before 5.57.0, from 4.1.2.191 before 4.1.2.191.46, from 6.0.0 before 6.8.0, from 6.2023.1 before 6.2023.11.\n\n"}, {"lang": "es", "value": "Vulnerabilidad de redirecci\u00f3n de URL a sitio no confiable ('Open Redirect') en Payara Platform Payara Server, Micro y Embedded (m\u00f3dulos de implementaci\u00f3n de Servlet) permite el acceso de redireccionamiento a librer\u00edas. Este problema afecta a Payara Server, Micro y Embedded: desde 5.0.0 antes de 5.57.0 , desde 4.1.2.191 anterior a 4.1.2.191.46, desde 6.0.0 anterior a 6.8.0, desde 6.2023.1 anterior a 6.2023.11."}], "id": "CVE-2023-41699", "lastModified": "2023-11-23T03:41:18.107", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "type": "Secondary"}]}, "published": "2023-11-15T20:15:07.580", "references": [{"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "tags": ["Release Notes"], "url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2023.11.html"}, {"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "tags": ["Release Notes"], "url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.8.0.html"}], "sourceIdentifier": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-601"}], "source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "type": "Secondary"}]}