CVE-2024-7312: 
Payara Micro vulnerability analysis and mitigation

A URL Redirection to Untrusted Site ('Open Redirect') vulnerability (CVE-2024-7312) was discovered in Payara Platform Payara Server's REST Management Interface modules, allowing potential session hijacking. The vulnerability affects multiple versions of Payara Server: from 6.0.0 before 6.18.0, from 6.2022.1 before 6.2024.9, from 5.2020.2 before 5.2022.5, from 5.20.0 before 5.67.0, and from 4.1.2.191.0 before 4.1.2.191.50 (NVD).

The vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site). According to the CVSS v3.1 scoring, it has received a base score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The CVSS v4.0 assessment from Payara indicates a score of 7.0 (HIGH) with the vector string CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:H/SA:H (NVD).

The vulnerability could lead to session hijacking through URL redirection to untrusted sites. This could potentially compromise user sessions and lead to unauthorized access to sensitive information (NVD).

The vulnerability has been addressed in multiple version updates. Users should upgrade to Payara Server version 6.18.0, 6.2024.9, 5.2022.5, 5.67.0, or 4.1.2.191.50 depending on their current version track (Payara Release Notes).