{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8097", "assignerOrgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "state": "PUBLISHED", "assignerShortName": "Payara", "dateReserved": "2024-08-22T15:06:11.250Z", "datePublished": "2024-09-11T16:32:10.475Z", "dateUpdated": "2024-09-11T18:52:51.760Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["Logging"], "product": "Payara Server", "vendor": "Payara Platform", "versions": [{"lessThan": "6.18.0", "status": "affected", "version": "6.0.0", "versionType": "semver"}, {"lessThan": "6.2024.9", "status": "affected", "version": "6.2022.1", "versionType": "semver"}, {"lessThan": "5.67.0", "status": "affected", "version": "5.20.0", "versionType": "semver"}, {"lessThan": "5.2022.5", "status": "affected", "version": "5.2020.2", "versionType": "semver"}, {"lessThan": "4.1.2.191.50", "status": "affected", "version": "4.1.2.191.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Marco Ventura"}, {"lang": "en", "type": "reporter", "value": "Claudia Bartolini"}, {"lang": "en", "type": "reporter", "value": "Andrea Carlo Maria Dattola"}, {"lang": "en", "type": "reporter", "value": "Debora Esposito"}, {"lang": "en", "type": "reporter", "value": "Massimiliano Brolli"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Payara Platform Payara Server (Logging modules) allows Sensitive credentials posted in plain-text on the server log.<p>This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.20.0 before 5.67.0, from 5.2020.2 before 5.2022.5, from 4.1.2.191.0 before 4.1.2.191.50.</p>"}], "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Payara Platform Payara Server (Logging modules) allows Sensitive credentials posted in plain-text on the server log.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.20.0 before 5.67.0, from 5.2020.2 before 5.2022.5, from 4.1.2.191.0 before 4.1.2.191.50."}], "impacts": [{"descriptions": [{"lang": "en", "value": "Sensitive credentials posted in plain-text on the server log"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 6.7, "baseSeverity": "MEDIUM", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "shortName": "Payara", "dateUpdated": "2024-09-11T16:32:10.475Z"}, "references": [{"tags": ["release-notes"], "url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2024.9.html"}, {"tags": ["release-notes"], "url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.18.0.html"}], "source": {"discovery": "UPSTREAM"}, "title": "Sensitive information exposure when the org.glassfish.admingui LOGGER is set to FINEST level", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-11T18:52:39.001756Z", "id": "CVE-2024-8097", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T18:52:51.760Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-8097", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-11T18:52:39.001756Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T18:52:46.255Z"}}], "cna": {"title": "Sensitive information exposure when the org.glassfish.admingui LOGGER is set to FINEST level", "source": {"discovery": "UPSTREAM"}, "credits": [{"lang": "en", "type": "reporter", "value": "Marco Ventura"}, {"lang": "en", "type": "reporter", "value": "Claudia Bartolini"}, {"lang": "en", "type": "reporter", "value": "Andrea Carlo Maria Dattola"}, {"lang": "en", "type": "reporter", "value": "Debora Esposito"}, {"lang": "en", "type": "reporter", "value": "Massimiliano Brolli"}], "impacts": [{"descriptions": [{"lang": "en", "value": "Sensitive credentials posted in plain-text on the server log"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.7, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Payara Platform", "modules": ["Logging"], "product": "Payara Server", "versions": [{"status": "affected", "version": "6.0.0", "lessThan": "6.18.0", "versionType": "semver"}, {"status": "affected", "version": "6.2022.1", "lessThan": "6.2024.9", "versionType": "semver"}, {"status": "affected", "version": "5.20.0", "lessThan": "5.67.0", "versionType": "semver"}, {"status": "affected", "version": "5.2020.2", "lessThan": "5.2022.5", "versionType": "semver"}, {"status": "affected", "version": "4.1.2.191.0", "lessThan": "4.1.2.191.50", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2024.9.html", "tags": ["release-notes"]}, {"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.18.0.html", "tags": ["release-notes"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Payara Platform Payara Server (Logging modules) allows Sensitive credentials posted in plain-text on the server log.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.20.0 before 5.67.0, from 5.2020.2 before 5.2022.5, from 4.1.2.191.0 before 4.1.2.191.50.", "supportingMedia": [{"type": "text/html", "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Payara Platform Payara Server (Logging modules) allows Sensitive credentials posted in plain-text on the server log.<p>This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.20.0 before 5.67.0, from 5.2020.2 before 5.2022.5, from 4.1.2.191.0 before 4.1.2.191.50.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "shortName": "Payara", "dateUpdated": "2024-09-11T16:32:10.475Z"}}}, "cveMetadata": {"cveId": "CVE-2024-8097", "state": "PUBLISHED", "dateUpdated": "2024-09-11T18:52:51.760Z", "dateReserved": "2024-08-22T15:06:11.250Z", "assignerOrgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "datePublished": "2024-09-11T16:32:10.475Z", "assignerShortName": "Payara"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Payara Platform Payara Server (Logging modules) allows Sensitive credentials posted in plain-text on the server log.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.20.0 before 5.67.0, from 5.2020.2 before 5.2022.5, from 4.1.2.191.0 before 4.1.2.191.50."}, {"lang": "es", "value": "Vulnerabilidad de exposici\u00f3n de informaci\u00f3n confidencial a un actor no autorizado en Payara Platform Payara Server (m\u00f3dulos de registro) permite que las credenciales confidenciales se publiquen en texto plano en el registro del servidor. Este problema afecta a Payara Server: desde 6.0.0 antes de 6.18.0, desde 6.2022.1 antes de 6.2024.9, desde 5.20.0 antes de 5.67.0, desde 5.2020.2 antes de 5.2022.5, desde 4.1.2.191.0 antes de 4.1.2.191.50."}], "id": "CVE-2024-8097", "lastModified": "2024-09-12T12:35:54.013", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "HIGH", "subsequentSystemIntegrity": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "NONE", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "NONE"}, "source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "type": "Secondary"}]}, "published": "2024-09-11T17:15:13.917", "references": [{"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2024.9.html"}, {"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.18.0.html"}], "sourceIdentifier": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "type": "Secondary"}]}

{"bugzilla": {"description": "payara: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Payara", "id": "2311758", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311758"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-200", "details": ["Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Payara Platform Payara Server (Logging modules) allows Sensitive credentials posted in plain-text on the server log.This issue affects Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.20.0 before 5.67.0, from 5.2020.2 before 5.2022.5, from 4.1.2.191.0 before 4.1.2.191.50.", "An exposure of sensitive information flaw via an unauthorized actor vulnerability was found in the Payara Platform Payara Server (logging modules). This issue allows sensitive credentials to be posted in plain text on the server log."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-8097", "package_state": [{"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "fish.payara.arquillian/arquillian-payara-server-4-managed", "product_name": "Red Hat JBoss Data Grid 7"}], "public_date": "2024-09-11T17:15:13Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-8097\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-8097\nhttps://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%206.2024.9.html\nhttps://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.18.0.html"], "threat_severity": "Moderate"}