Headline
CVE-2022-45129: Merge pull request #5989 from luiseufrasio/FISH-6603 · payara/Payara@cccdfdd
Payara before 2022-11-04, when deployed to the root context, allows attackers to visit META-INF and WEB-INF, a different vulnerability than CVE-2022-37422. This affects Payara Platform Community before 4.1.2.191.38, 5.x before 5.2022.4, and 6.x before 6.2022.1, and Payara Platform Enterprise before 5.45.0.
@@ -68,6 +68,7 @@ import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.util.Locale; import java.util.regex.Pattern;
import org.glassfish.grizzly.utils.Charsets;
@@ -97,6 +98,11 @@
private StandardContext context = null;
private static final Pattern PATTERN_META_INF = Pattern.compile("[.]{2}[/]?.*[/](META-INF[/].*|META-INF$)", Pattern.CASE_INSENSITIVE);
private static final Pattern PATTERN_WEB_INF = Pattern.compile("[.]{2}[/]?.*[/](WEB-INF[/].*|WEB-INF$)", Pattern.CASE_INSENSITIVE);
// ------------------------------------------------------------- Properties
@@ -294,12 +300,13 @@ protected String normalize(String path) { if (rv.indexOf(“./”) == 0) { rv = rv.replaceFirst("./", “/”); } // has /WEB-INF or /META-INF final String RV = rv.toUpperCase(); int index = RV.indexOf(“/WEB-INF/”); if (index != -1 || RV.endsWith(“/WEB-INF”)) { // has …/*/WEB-INF/* or …/*/META-INF/* if (PATTERN_WEB_INF.matcher(rv).find()) { return "/WEB-INF"; } if (PATTERN_META_INF.matcher(rv).find()) { return "/META-INF"; }
// Normalize the slashes and add leading slash if necessary if (rv.indexOf(‘\\’) >= 0) {
Related news
Payara Platform suffers from a path traversal vulnerability. Enterprise versions prior to 5.45.0 and Community versions prior to 6.2022.1, 5.2022.4, and 4.1.2.191.38 are affected.