{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-45687", "assignerOrgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "state": "PUBLISHED", "assignerShortName": "Payara", "dateReserved": "2024-09-04T15:55:26.099Z", "datePublished": "2025-01-21T16:35:43.932Z", "dateUpdated": "2025-02-12T20:41:21.565Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["Grizzly", "REST Management Interface"], "product": "Payara Server", "vendor": "Payara Platform", "versions": [{"lessThanOrEqual": "4.1.2.191.51", "status": "affected", "version": "4.1.151", "versionType": "custom"}, {"lessThanOrEqual": "5.70.0", "status": "affected", "version": "5.20.0", "versionType": "semver"}, {"lessThanOrEqual": "5.2022.5", "status": "affected", "version": "5.2020.2", "versionType": "semver"}, {"lessThanOrEqual": "6.2024.12", "status": "affected", "version": "6.2022.1", "versionType": "semver"}, {"lessThanOrEqual": "6.21.0", "status": "affected", "version": "6.0.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "modules": ["Grizzly"], "product": "Payara Micro", "vendor": "Payara Platform", "versions": [{"lessThanOrEqual": "4.1.2.191.51", "status": "affected", "version": "4.1.152", "versionType": "custom"}, {"lessThanOrEqual": "5.70.0", "status": "affected", "version": "5.20.0", "versionType": "semver"}, {"lessThanOrEqual": "5.2022.5", "status": "affected", "version": "5.2020.2", "versionType": "semver"}, {"lessThanOrEqual": "6.2024.12", "status": "affected", "version": "6.2022.1", "versionType": "semver"}, {"lessThanOrEqual": "6.21.0", "status": "affected", "version": "6.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Ben Kallus"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in Payara Platform Payara Server (Grizzly, REST Management Interface modules), Payara Platform Payara Micro (Grizzly modules) allows Manipulating State, Identity Spoofing.<p>This issue affects Payara Server: from 4.1.151 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0; Payara Micro: from 4.1.152 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0.</p>"}], "value": "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in Payara Platform Payara Server (Grizzly, REST Management Interface modules), Payara Platform Payara Micro (Grizzly modules) allows Manipulating State, Identity Spoofing.This issue affects Payara Server: from 4.1.151 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0; Payara Micro: from 4.1.152 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0."}], "impacts": [{"capecId": "CAPEC-74", "descriptions": [{"lang": "en", "value": "CAPEC-74 Manipulating State"}]}, {"capecId": "CAPEC-151", "descriptions": [{"lang": "en", "value": "CAPEC-151 Identity Spoofing"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 2.4, "baseSeverity": "LOW", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-113", "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "shortName": "Payara", "dateUpdated": "2025-01-21T16:35:43.932Z"}, "references": [{"tags": ["release-notes"], "url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.22.0.html"}, {"tags": ["release-notes"], "url": "https://docs.payara.fish/enterprise/docs/5.71.0/Release%20Notes/Release%20Notes%205.71.0.html"}, {"tags": ["release-notes"], "url": "https://docs.payara.fish/community/docs/6.2025.1/Release%20Notes/Release%20Notes%206.2025.1.html"}], "source": {"discovery": "UPSTREAM"}, "title": "HTTP Server incorrectly accepting disallowed characters within header values", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-45687", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-21T17:16:04.924874Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T20:41:21.565Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-45687", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-21T17:16:04.924874Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T20:33:04.809Z"}}], "cna": {"title": "HTTP Server incorrectly accepting disallowed characters within header values", "source": {"discovery": "UPSTREAM"}, "credits": [{"lang": "en", "type": "reporter", "value": "Ben Kallus"}], "impacts": [{"capecId": "CAPEC-74", "descriptions": [{"lang": "en", "value": "CAPEC-74 Manipulating State"}]}, {"capecId": "CAPEC-151", "descriptions": [{"lang": "en", "value": "CAPEC-151 Identity Spoofing"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.4, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Payara Platform", "modules": ["Grizzly", "REST Management Interface"], "product": "Payara Server", "versions": [{"status": "affected", "version": "4.1.151", "versionType": "custom", "lessThanOrEqual": "4.1.2.191.51"}, {"status": "affected", "version": "5.20.0", "versionType": "semver", "lessThanOrEqual": "5.70.0"}, {"status": "affected", "version": "5.2020.2", "versionType": "semver", "lessThanOrEqual": "5.2022.5"}, {"status": "affected", "version": "6.2022.1", "versionType": "semver", "lessThanOrEqual": "6.2024.12"}, {"status": "affected", "version": "6.0.0", "versionType": "semver", "lessThanOrEqual": "6.21.0"}], "defaultStatus": "unaffected"}, {"vendor": "Payara Platform", "modules": ["Grizzly"], "product": "Payara Micro", "versions": [{"status": "affected", "version": "4.1.152", "versionType": "custom", "lessThanOrEqual": "4.1.2.191.51"}, {"status": "affected", "version": "5.20.0", "versionType": "semver", "lessThanOrEqual": "5.70.0"}, {"status": "affected", "version": "5.2020.2", "versionType": "semver", "lessThanOrEqual": "5.2022.5"}, {"status": "affected", "version": "6.2022.1", "versionType": "semver", "lessThanOrEqual": "6.2024.12"}, {"status": "affected", "version": "6.0.0", "versionType": "semver", "lessThanOrEqual": "6.21.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.22.0.html", "tags": ["release-notes"]}, {"url": "https://docs.payara.fish/enterprise/docs/5.71.0/Release%20Notes/Release%20Notes%205.71.0.html", "tags": ["release-notes"]}, {"url": "https://docs.payara.fish/community/docs/6.2025.1/Release%20Notes/Release%20Notes%206.2025.1.html", "tags": ["release-notes"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in Payara Platform Payara Server (Grizzly, REST Management Interface modules), Payara Platform Payara Micro (Grizzly modules) allows Manipulating State, Identity Spoofing.This issue affects Payara Server: from 4.1.151 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0; Payara Micro: from 4.1.152 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in Payara Platform Payara Server (Grizzly, REST Management Interface modules), Payara Platform Payara Micro (Grizzly modules) allows Manipulating State, Identity Spoofing.<p>This issue affects Payara Server: from 4.1.151 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0; Payara Micro: from 4.1.152 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-113", "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')"}]}], "providerMetadata": {"orgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "shortName": "Payara", "dateUpdated": "2025-01-21T16:35:43.932Z"}}}, "cveMetadata": {"cveId": "CVE-2024-45687", "state": "PUBLISHED", "dateUpdated": "2025-02-12T20:41:21.565Z", "dateReserved": "2024-09-04T15:55:26.099Z", "assignerOrgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "datePublished": "2025-01-21T16:35:43.932Z", "assignerShortName": "Payara"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in Payara Platform Payara Server (Grizzly, REST Management Interface modules), Payara Platform Payara Micro (Grizzly modules) allows Manipulating State, Identity Spoofing.This issue affects Payara Server: from 4.1.151 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0; Payara Micro: from 4.1.152 through 4.1.2.191.51, from 5.20.0 through 5.70.0, from 5.2020.2 through 5.2022.5, from 6.2022.1 through 6.2024.12, from 6.0.0 through 6.21.0."}, {"lang": "es", "value": "Vulnerabilidad de neutralizaci\u00f3n incorrecta de secuencias CRLF en encabezados HTTP ('Divisi\u00f3n de solicitud/respuesta HTTP') en Payara Platform Payara Server (Grizzly, m\u00f3dulos de interfaz de administraci\u00f3n REST), Payara Platform Payara Micro (m\u00f3dulos Grizzly) permite manipular el estado y suplantar la identidad. Este problema afecta a Payara Server: desde la versi\u00f3n 4.1.151 hasta la 4.1.2.191.51, desde la versi\u00f3n 5.20.0 hasta la 5.70.0, desde la versi\u00f3n 5.2020.2 hasta la 5.2022.5, desde la versi\u00f3n 6.2022.1 hasta la 6.2024.12, desde la versi\u00f3n 6.0.0 hasta la 6.21.0; Payara Micro: de 4.1.152 a 4.1.2.191.51, de 5.20.0 a 5.70.0, de 5.2020.2 a 5.2022.5, de 6.2022.1 a 6.2024.12, de 6.0.0 a 6.21.0."}], "id": "CVE-2024-45687", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "type": "Secondary"}]}, "published": "2025-01-21T17:15:14.073", "references": [{"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "url": "https://docs.payara.fish/community/docs/6.2025.1/Release%20Notes/Release%20Notes%206.2025.1.html"}, {"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "url": "https://docs.payara.fish/enterprise/docs/5.71.0/Release%20Notes/Release%20Notes%205.71.0.html"}, {"source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "url": "https://docs.payara.fish/enterprise/docs/Release%20Notes/Release%20Notes%206.22.0.html"}], "sourceIdentifier": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-113"}], "source": "769c9ae7-73c3-4e47-ae19-903170fc3eb8", "type": "Secondary"}]}

{}

{}