CVE-2022-45129 in Community
Summary
by MITRE • 11/10/2022
Payara before 2022-11-04, when deployed to the root context, allows attackers to visit META-INF and WEB-INF, a different vulnerability than CVE-2022-37422. This affects Payara Platform Community before 4.1.2.191.38, 5.x before 5.2022.4, and 6.x before 6.2022.1, and Payara Platform Enterprise before 5.45.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/11/2022
This vulnerability in Payara Server represents a critical information disclosure issue that stems from improper directory access controls when the application is deployed to the root context. The flaw allows attackers to traverse and access sensitive directories including META-INF and WEB-INF, which typically contain application metadata, configuration files, and other sensitive information that should remain protected from external access. This vulnerability specifically impacts versions of Payara Platform Community prior to 4.1.2.191.38, 5.x prior to 5.2022.4, 6.x prior to 6.2022.1, as well as Payara Platform Enterprise before 5.45.0, making it a widespread issue across multiple release lines of the application server.
The technical nature of this vulnerability aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, commonly known as path traversal attacks. When Payara is configured to serve applications from the root context, the web server fails to properly sanitize directory traversal requests, allowing malicious actors to access files that should be restricted. This occurs because the application server does not adequately validate or filter incoming requests that attempt to access directories outside of the intended application scope, particularly when these requests contain sequences like ../ or similar path manipulation techniques.
The operational impact of this vulnerability is significant as it provides attackers with unauthorized access to sensitive application metadata and configuration files that may contain database connection strings, API keys, cryptographic keys, and other confidential information. The exposure of META-INF directory can reveal application manifests, service definitions, and other metadata that could aid in further exploitation attempts. Access to WEB-INF directories can expose web application configuration files, deployment descriptors, and potentially sensitive class files that could be used for privilege escalation or additional attack vectors. This vulnerability directly violates the principle of least privilege and can enable attackers to gain deeper insights into the application architecture and infrastructure.
Security practitioners should implement immediate mitigations including updating to the patched versions of Payara Platform Community, 5.x, 6.x, and Payara Platform Enterprise as specified in the CVE. Organizations should also consider implementing additional network-level controls such as firewall rules that restrict access to the application server, particularly when deployed in root contexts. Application-level mitigations include configuring the server to avoid root context deployment when possible, implementing proper directory access controls, and conducting regular security assessments to identify similar path traversal vulnerabilities in other components. This vulnerability also maps to ATT&CK technique T1213.002 for data from information repositories and T1595.001 for network boundary compromise, highlighting the potential for broader exploitation once initial access is achieved. Organizations should perform comprehensive vulnerability assessments to ensure no other similar directory traversal issues exist within their application environments and consider implementing web application firewalls to provide additional protection layers against such attacks.