Improper CRLF Handling in Payara Server and Payara Micro
CVE-2024-45687

2.4LOW

Key Information:

Vendor

Payara Platform

Status
Payara Server
Payara Micro
Vendor
CVE Published:
21 January 2025

What is CVE-2024-45687?

The vulnerability enables attackers to manipulate the state and potentially spoof user identities by exploiting improper handling of CRLF sequences in HTTP headers. This flaw affects both Payara Server and Payara Micro across several version ranges, allowing for unauthorized manipulation of requests and responses, which could lead to further attacks or information leakage.

Affected Version(s)

Payara Micro 4.1.152 <= 4.1.2.191.51

Payara Micro 5.20.0 <= 5.70.0

Payara Micro 5.2020.2 <= 5.2022.5

References

https://docs.payara.fish/enterprise/docs/Release%20Notes/...
release-notes
https://docs.payara.fish/enterprise/docs/5.71.0/Release%2...
release-notes
https://docs.payara.fish/community/docs/6.2025.1/Release%...
release-notes

CVSS V4

Score:
2.4
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ben Kallus
.