CVE-2022-45129 is a high-severity vulnerability affecting multiple versions of the Payara Platform, specifically versions before 4.1.2.191.38 for the Community edition, 5.x before 5.2022.4, 6.x before 6.2022.1, and the Enterprise edition before 5.45.0. The vulnerability arises when Payara is deployed to the root context, allowing attackers to access sensitive directories META-INF and WEB-INF. These directories typically contain configuration files, deployment descriptors, and other internal resources that should not be publicly accessible. This exposure can lead to information disclosure, potentially revealing sensitive configuration details, internal application structure, or credentials embedded in configuration files. The vulnerability is distinct from CVE-2022-37422, indicating a separate flaw in the platform's access control mechanisms. The CVSS v3.1 base score of 7.5 reflects a network attack vector with low attack complexity, no privileges required, and no user interaction needed. The impact is limited to confidentiality as integrity and availability are not affected. The weakness corresponds to CWE-552, which relates to files or directories accessible to unauthorized users. No known exploits are reported in the wild yet, but the vulnerability's nature and ease of exploitation make it a significant risk for exposed Payara deployments. Since Payara is a widely used open-source application server for Jakarta EE (formerly Java EE) applications, this vulnerability could affect many enterprise Java applications that rely on it, especially if deployed with default or root context configurations.

For European organizations, the exposure of META-INF and WEB-INF directories can lead to unauthorized disclosure of sensitive application configuration data, including database connection strings, security credentials, and internal application logic. This can facilitate further attacks such as privilege escalation, lateral movement, or targeted exploitation of other vulnerabilities. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, face increased compliance risks if sensitive information is leaked. The vulnerability's network accessibility and lack of required authentication mean that attackers can exploit it remotely without user interaction, increasing the threat surface. Additionally, organizations using Payara in public-facing environments or cloud deployments are particularly at risk. The information disclosure could undermine trust, cause reputational damage, and lead to financial losses due to remediation costs and potential regulatory fines under GDPR. Given the widespread use of Java EE application servers in European enterprises, the impact is significant if not promptly addressed.

To mitigate CVE-2022-45129, European organizations should immediately upgrade affected Payara Platform versions to the fixed releases: Community editions 4.1.2.191.38 or later, 5.2022.4 or later, 6.2022.1 or later, and Enterprise edition 5.45.0 or later. Until upgrades can be applied, organizations should avoid deploying Payara to the root context or configure the server to explicitly deny HTTP access to META-INF and WEB-INF directories via web server or application server configuration. Implementing strict access controls and web application firewalls (WAFs) to block unauthorized requests targeting these directories can provide temporary protection. Regularly audit application server configurations to ensure no unintended directory exposure exists. Additionally, conduct thorough code and configuration reviews to identify any sensitive data stored in these directories and remove or secure it appropriately. Monitoring network traffic and logs for suspicious access attempts to these directories can help detect exploitation attempts early. Finally, integrate vulnerability scanning and patch management processes to ensure timely updates of Payara and related components.