SecuriTricks - CVE-2024-45687

Description

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in Payara Platform Payara Server (Grizzly, REST Management Interface modules), Payara Platform Payara Micro (Grizzly modules) allows Manipulating State, Identity Spoofing.This issue affects Payara Server: from 4.1.151 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0; Payara Micro: from 4.1.152 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0.

Product(s) Impacted

Product	Versions
Payara Platform Payara Server	['4.1.151 - 4.1.2.191.51', '5.20.0 - 5.70.0', '5.2020.2 - 5.2022.5', '6.2022.1 - 6.2024.12', '6.0.0 - 6.21.0']
Payara Platform Payara Micro	['4.1.152 - 4.1.2.191.51', '5.20.0 - 5.70.0', '5.2020.2 - 5.2022.5', '6.2022.1 - 6.2024.12', '6.0.0 - 6.21.0']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

References

https://docs.payara.fish/community/docs/6.2025.1/Release%20Notes/Release%20Notes%206.2025.1.html

https://docs.payara.fish/enterprise/docs/5.71.0/Release%20Notes/Release%20Notes%205.71.0.html

https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.22.0.html

Timeline

Published: Jan. 21, 2025, 5:15 p.m.
Last Modified: Jan. 21, 2025, 5:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

769c9ae7-73c3-4e47-ae19-903170fc3eb8

CVE-2024-45687