cbcvebase.
CVE-2021-41381
published 2021-09-23

CVE-2021-41381: Payara Micro Community 5.2021.6 and below allows Directory Traversal.

PriorityP269high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
52.93%
98.8th percentile
Payara Micro Community 5.2021.6 and below allows Directory Traversal.

Affected

1 ranges
VendorProductVersion rangeFixed in
payaramicro_community<= 5.2021.6

Detection & IOCsextracted from sources · hover to see the quote

path/.//WEB-INF/classes/META-INF/microprofile-config.properties
commandcurl --path-as-is http://localhost:8080/.//WEB-INF/classes/META-INF/microprofile-config.properties
  • Detect exploitation attempts by matching HTTP GET requests containing the traversal pattern '/.//WEB-INF/' in the request URI.
  • Confirm successful exploitation by checking the HTTP response body for the string 'payara.security.openid.default.providerURI=' AND 'payara.security.openid.sessionScopedConfiguration=true'.
  • The traversal bypass relies on the '/./' double-slash sequence to evade standard WEB-INF path protection; monitor for this pattern in access logs.
  • Use --path-as-is flag in curl to prevent client-side path normalization; defenders should look for raw un-normalized paths in server access logs.
  • ·The vulnerability affects Payara Micro Community 5.2021.6 and below only; later versions are not confirmed vulnerable.
  • ·The exploit was tested on both Linux and Windows OS environments, so detection rules should not be OS-scoped.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.