CVE-2023-41699 - OpenCVE

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Payara Platform Payara Server, Micro and Embedded (Servlet Implementation modules) allows Redirect Access to Libraries.This issue affects Payara Server, Micro and Embedded: from 5.0.0 before 5.57.0, from 4.1.2.191 before 4.1.2.191.46, from 6.0.0 before 6.8.0, from 6.2023.1 before 6.2023.11.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Payara	Payara

Configuration 1 [-]

OR	cpe:2.3:a:payara:payara:::::community:::*
	cpe:2.3:a:payara:payara:::::enterprise:::*
	cpe:2.3:a:payara:payara:::::enterprise:::*
	cpe:2.3:a:payara:payara:::::community:::*

No data.

References

Link	Providers
https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2023.11.html
https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.8.0.html
https://nvd.nist.gov/vuln/detail/CVE-2023-41699
https://www.cve.org/CVERecord?id=CVE-2023-41699

History

No history.

MITRE

Status: PUBLISHED

Assigner: Payara

Published: 2023-11-15T19:54:23.590Z

Updated: 2024-08-29T17:37:00.722Z

Reserved: 2023-08-30T16:08:29.041Z

Link: CVE-2023-41699

Vulnrichment

Updated: 2024-08-02T19:01:35.420Z

NVD

Status : Analyzed

Published: 2023-11-15T20:15:07.580

Modified: 2023-11-23T03:41:18.107

Link: CVE-2023-41699

Redhat

Severity : Moderate

Publid Date: 2023-11-15T00:00:00Z

Links: CVE-2023-41699 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-41699", "assignerOrgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "state": "PUBLISHED", "assignerShortName": "Payara", "dateReserved": "2023-08-30T16:08:29.041Z", "datePublished": "2023-11-15T19:54:23.590Z", "dateUpdated": "2024-08-29T17:37:00.722Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["Servlet Implementation"], "product": "Payara Server, Micro and Embedded", "vendor": "Payara Platform", "versions": [{"lessThan": "5.57.0", "status": "affected", "version": "5.0.0", "versionType": "semver"}, {"lessThan": "4.1.2.191.46", "status": "affected", "version": "4.1.2.191", "versionType": "semver"}, {"lessThan": "6.8.0", "status": "affected", "version": "6.0.0", "versionType": "semver"}, {"lessThan": "6.2023.11", "status": "affected", "version": "6.2023.1", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Hiroki Sawamura from Fujitsu"}], "datePublic": "2023-11-16T21:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Payara Platform Payara Server, Micro and Embedded (Servlet Implementation modules) allows Redirect Access to Libraries.<p>This issue affects Payara Server, Micro and Embedded: from 5.0.0 before 5.57.0, from 4.1.2.191 before 4.1.2.191.46, from 6.0.0 before 6.8.0, from 6.2023.1 before 6.2023.11.</p>"}], "value": "URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Payara Platform Payara Server, Micro and Embedded (Servlet Implementation modules) allows Redirect Access to Libraries.This issue affects Payara Server, Micro and Embedded: from 5.0.0 before 5.57.0, from 4.1.2.191 before 4.1.2.191.46, from 6.0.0 before 6.8.0, from 6.2023.1 before 6.2023.11.\n\n"}], "impacts": [{"capecId": "CAPEC-159", "descriptions": [{"lang": "en", "value": "CAPEC-159 Redirect Access to Libraries"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "shortName": "Payara", "dateUpdated": "2023-11-15T19:57:20.119Z"}, "references": [{"tags": ["release-notes"], "url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.8.0.html"}, {"tags": ["release-notes"], "url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2023.11.html"}], "source": {"defect": ["CVE-2023-41080"], "discovery": "INTERNAL"}, "title": "Payara Platform: URL Redirection to untrusted site using FORM authentication", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:01:35.420Z"}, "title": "CVE Program Container", "references": [{"tags": ["release-notes", "x_transferred"], "url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.8.0.html"}, {"tags": ["release-notes", "x_transferred"], "url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2023.11.html"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-29T17:36:42.715958Z", "id": "CVE-2023-41699", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-29T17:37:00.722Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.8.0.html", "tags": ["release-notes", "x_transferred"]}, {"url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2023.11.html", "tags": ["release-notes", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:01:35.420Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-41699", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-29T17:36:42.715958Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-29T17:36:52.426Z"}}], "cna": {"title": "Payara Platform: URL Redirection to untrusted site using FORM authentication", "source": {"defect": ["CVE-2023-41080"], "discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Hiroki Sawamura from Fujitsu"}], "impacts": [{"capecId": "CAPEC-159", "descriptions": [{"lang": "en", "value": "CAPEC-159 Redirect Access to Libraries"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Payara Platform", "modules": ["Servlet Implementation"], "product": "Payara Server, Micro and Embedded", "versions": [{"status": "affected", "version": "5.0.0", "lessThan": "5.57.0", "versionType": "semver"}, {"status": "affected", "version": "4.1.2.191", "lessThan": "4.1.2.191.46", "versionType": "semver"}, {"status": "affected", "version": "6.0.0", "lessThan": "6.8.0", "versionType": "semver"}, {"status": "affected", "version": "6.2023.1", "lessThan": "6.2023.11", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2023-11-16T21:00:00.000Z", "references": [{"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.8.0.html", "tags": ["release-notes"]}, {"url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2023.11.html", "tags": ["release-notes"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Payara Platform Payara Server, Micro and Embedded (Servlet Implementation modules) allows Redirect Access to Libraries.This issue affects Payara Server, Micro and Embedded: from 5.0.0 before 5.57.0, from 4.1.2.191 before 4.1.2.191.46, from 6.0.0 before 6.8.0, from 6.2023.1 before 6.2023.11.\n\n", "supportingMedia": [{"type": "text/html", "value": "URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Payara Platform Payara Server, Micro and Embedded (Servlet Implementation modules) allows Redirect Access to Libraries.<p>This issue affects Payara Server, Micro and Embedded: from 5.0.0 before 5.57.0, from 4.1.2.191 before 4.1.2.191.46, from 6.0.0 before 6.8.0, from 6.2023.1 before 6.2023.11.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "shortName": "Payara", "dateUpdated": "2023-11-15T19:57:20.119Z"}}}, "cveMetadata": {"cveId": "CVE-2023-41699", "state": "PUBLISHED", "dateUpdated": "2024-08-29T17:37:00.722Z", "dateReserved": "2023-08-30T16:08:29.041Z", "assignerOrgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "datePublished": "2023-11-15T19:54:23.590Z", "assignerShortName": "Payara"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:community:*:*:*", "matchCriteriaId": "ADFB7392-9992-4248-BDAB-2320A4C59274", "versionEndExcluding": "4.1.2.191.46", "versionStartIncluding": "4.1.2.191", "vulnerable": true}, {"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "A4D9499F-D000-47D3-93ED-853F62375552", "versionEndExcluding": "5.57.0", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "0DAE4FFA-8969-4B46-8D23-D3B513FFE294", "versionEndExcluding": "6.8.0", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:payara:payara:*:*:*:*:community:*:*:*", "matchCriteriaId": "58FBC93E-5A50-436A-98D9-11F4D12AEB4B", "versionEndExcluding": "6.2023.11", "versionStartIncluding": "6.2023.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Payara Platform Payara Server, Micro and Embedded (Servlet Implementation modules) allows Redirect Access to Libraries.This issue affects Payara Server, Micro and Embedded: from 5.0.0 before 5.57.0, from 4.1.2.191 before 4.1.2.191.46, from 6.0.0 before 6.8.0, from 6.2023.1 before 6.2023.11.\n\n"}, {"lang": "es", "value": "Vulnerabilidad de redirecci\u00f3n de URL a sitio no confiable ('Open Redirect') en Payara Platform Payara Server, Micro y Embedded (m\u00f3dulos de implementaci\u00f3n de Servlet) permite el acceso de redireccionamiento a librer\u00edas. Este problema afecta a Payara Server, Micro y Embedded: desde 5.0.0 antes de 5.57.0 , desde 4.1.2.191 anterior a 4.1.2.191.46, desde 6.0.0 anterior a 6.8.0, desde 6.2023.1 anterior a 6.2023.11."}], "id": "CVE-2023-41699", "lastModified": "2023-11-23T03:41:18.107", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "type": "Secondary"}]}, "published": "2023-11-15T20:15:07.580", "references": [{"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "tags": ["Release Notes"], "url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2023.11.html"}, {"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "tags": ["Release Notes"], "url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.8.0.html"}], "sourceIdentifier": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-601"}], "source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "type": "Secondary"}]}