CVE-2022-45129: n/a in n/a
Payara before 2022-11-04, when deployed to the root context, allows attackers to visit META-INF and WEB-INF, a different vulnerability than CVE-2022-37422. This affects Payara Platform Community before 4.1.2.191.38, 5.x before 5.2022.4, and 6.x before 6.2022.1, and Payara Platform Enterprise before 5.45.0.
AI Analysis
Technical Summary
CVE-2022-45129 is a high-severity vulnerability affecting multiple versions of the Payara Platform, specifically versions before 4.1.2.191.38 for the Community edition, 5.x before 5.2022.4, 6.x before 6.2022.1, and the Enterprise edition before 5.45.0. The vulnerability arises when Payara is deployed to the root context, allowing attackers to access sensitive directories META-INF and WEB-INF. These directories typically contain configuration files, deployment descriptors, and other internal resources that should not be publicly accessible. This exposure can lead to information disclosure, potentially revealing sensitive configuration details, internal application structure, or credentials embedded in configuration files. The vulnerability is distinct from CVE-2022-37422, indicating a separate flaw in the platform's access control mechanisms. The CVSS v3.1 base score of 7.5 reflects a network attack vector with low attack complexity, no privileges required, and no user interaction needed. The impact is limited to confidentiality as integrity and availability are not affected. The weakness corresponds to CWE-552, which relates to files or directories accessible to unauthorized users. No known exploits are reported in the wild yet, but the vulnerability's nature and ease of exploitation make it a significant risk for exposed Payara deployments. Since Payara is a widely used open-source application server for Jakarta EE (formerly Java EE) applications, this vulnerability could affect many enterprise Java applications that rely on it, especially if deployed with default or root context configurations.
Potential Impact
For European organizations, the exposure of META-INF and WEB-INF directories can lead to unauthorized disclosure of sensitive application configuration data, including database connection strings, security credentials, and internal application logic. This can facilitate further attacks such as privilege escalation, lateral movement, or targeted exploitation of other vulnerabilities. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, face increased compliance risks if sensitive information is leaked. The vulnerability's network accessibility and lack of required authentication mean that attackers can exploit it remotely without user interaction, increasing the threat surface. Additionally, organizations using Payara in public-facing environments or cloud deployments are particularly at risk. The information disclosure could undermine trust, cause reputational damage, and lead to financial losses due to remediation costs and potential regulatory fines under GDPR. Given the widespread use of Java EE application servers in European enterprises, the impact is significant if not promptly addressed.
Mitigation Recommendations
To mitigate CVE-2022-45129, European organizations should immediately upgrade affected Payara Platform versions to the fixed releases: Community editions 4.1.2.191.38 or later, 5.2022.4 or later, 6.2022.1 or later, and Enterprise edition 5.45.0 or later. Until upgrades can be applied, organizations should avoid deploying Payara to the root context or configure the server to explicitly deny HTTP access to META-INF and WEB-INF directories via web server or application server configuration. Implementing strict access controls and web application firewalls (WAFs) to block unauthorized requests targeting these directories can provide temporary protection. Regularly audit application server configurations to ensure no unintended directory exposure exists. Additionally, conduct thorough code and configuration reviews to identify any sensitive data stored in these directories and remove or secure it appropriately. Monitoring network traffic and logs for suspicious access attempts to these directories can help detect exploitation attempts early. Finally, integrate vulnerability scanning and patch management processes to ensure timely updates of Payara and related components.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2022-45129: n/a in n/a
Description
Payara before 2022-11-04, when deployed to the root context, allows attackers to visit META-INF and WEB-INF, a different vulnerability than CVE-2022-37422. This affects Payara Platform Community before 4.1.2.191.38, 5.x before 5.2022.4, and 6.x before 6.2022.1, and Payara Platform Enterprise before 5.45.0.
AI-Powered Analysis
Technical Analysis
CVE-2022-45129 is a high-severity vulnerability affecting multiple versions of the Payara Platform, specifically versions before 4.1.2.191.38 for the Community edition, 5.x before 5.2022.4, 6.x before 6.2022.1, and the Enterprise edition before 5.45.0. The vulnerability arises when Payara is deployed to the root context, allowing attackers to access sensitive directories META-INF and WEB-INF. These directories typically contain configuration files, deployment descriptors, and other internal resources that should not be publicly accessible. This exposure can lead to information disclosure, potentially revealing sensitive configuration details, internal application structure, or credentials embedded in configuration files. The vulnerability is distinct from CVE-2022-37422, indicating a separate flaw in the platform's access control mechanisms. The CVSS v3.1 base score of 7.5 reflects a network attack vector with low attack complexity, no privileges required, and no user interaction needed. The impact is limited to confidentiality as integrity and availability are not affected. The weakness corresponds to CWE-552, which relates to files or directories accessible to unauthorized users. No known exploits are reported in the wild yet, but the vulnerability's nature and ease of exploitation make it a significant risk for exposed Payara deployments. Since Payara is a widely used open-source application server for Jakarta EE (formerly Java EE) applications, this vulnerability could affect many enterprise Java applications that rely on it, especially if deployed with default or root context configurations.
Potential Impact
For European organizations, the exposure of META-INF and WEB-INF directories can lead to unauthorized disclosure of sensitive application configuration data, including database connection strings, security credentials, and internal application logic. This can facilitate further attacks such as privilege escalation, lateral movement, or targeted exploitation of other vulnerabilities. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, face increased compliance risks if sensitive information is leaked. The vulnerability's network accessibility and lack of required authentication mean that attackers can exploit it remotely without user interaction, increasing the threat surface. Additionally, organizations using Payara in public-facing environments or cloud deployments are particularly at risk. The information disclosure could undermine trust, cause reputational damage, and lead to financial losses due to remediation costs and potential regulatory fines under GDPR. Given the widespread use of Java EE application servers in European enterprises, the impact is significant if not promptly addressed.
Mitigation Recommendations
To mitigate CVE-2022-45129, European organizations should immediately upgrade affected Payara Platform versions to the fixed releases: Community editions 4.1.2.191.38 or later, 5.2022.4 or later, 6.2022.1 or later, and Enterprise edition 5.45.0 or later. Until upgrades can be applied, organizations should avoid deploying Payara to the root context or configure the server to explicitly deny HTTP access to META-INF and WEB-INF directories via web server or application server configuration. Implementing strict access controls and web application firewalls (WAFs) to block unauthorized requests targeting these directories can provide temporary protection. Regularly audit application server configurations to ensure no unintended directory exposure exists. Additionally, conduct thorough code and configuration reviews to identify any sensitive data stored in these directories and remove or secure it appropriately. Monitoring network traffic and logs for suspicious access attempts to these directories can help detect exploitation attempts early. Finally, integrate vulnerability scanning and patch management processes to ensure timely updates of Payara and related components.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2022-11-10T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9839c4522896dcbece63
Added to database: 5/21/2025, 9:09:13 AM
Last enriched: 7/2/2025, 2:39:37 AM
Last updated: 8/16/2025, 6:41:17 AM
Views: 14
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.