Payara Platform Payara Server and Payara Micro HTTP Request/Response Splitting Vulnerability

A vulnerability allowing HTTP request/response splitting has been identified in Payara Platform Payara Server (Grizzly, REST Management Interface modules) and Payara Platform Payara Micro (Grizzly modules). This vulnerability, present in several versions, including Payara Server 4.1.151 prior to 4.1.2.191.51, 5.20.0 prior to 5.70.0, 5.2020.2 prior to 5.2022.5, 6.2022.1 prior to 6.2024.12, and 6.0.0 prior to 6.21.0, as well as Payara Micro versions 4.1.152 prior to 4.1.2.191.51, 5.20.0 prior to 5.70.0, 5.2020.2 prior to 5.2022.5, 6.2022.1 prior to 6.2024.12, and 6.0.0 prior to 6.21.0, arises from improper handling of carriage return and line feed (CRLF) sequences in HTTP headers. This flaw can be exploited to manipulate state and spoof identity.

Impact

Exploitation of this vulnerability could lead to HTTP request/response splitting, allowing for state manipulation and identity spoofing.

Remediation

Users can upgrade to Payara Server versions 4.1.152, 5.71.0, or 6.22.0, or to Payara Micro versions 5.71.0 or 6.22.0.