Question regarding CVE-2025-14340
Ohms, Jannis
Payara 6 is vulnerable to xss see (CVE-2025-14340)
I have a running dataverse using payara 6 how can i Update to payara 7
Is It enough to Download a new payara distribution and redeploy the war ?
Thanks
Jannis
James Myers
Jannis – thanks for the heads up. FWIW: https://guides.dataverse.org/en/latest/developers/security.html#intake-of-security-issues is the recommended way for reporting security issues.
W.r.t. this CVE - note that that CVE relates to the Payara Admin interface (as far as I can see) which should not be exposed to the Internet in general in any installation. If anyone thinks it is something that can be exploited through Dataverse itself, please let us know.
W.r.t. Payara 7 – we’ve noted that Payara 6 community edition was no longer getting security updates and have had plans to update to 7 for a while. That was delayed as Payara 7.2025.x had a bug that made it incapable of handling API calls with ‘:’ characters (everything we send with persistentId=doi:…). It looks like 7.2026.1 has a fix for that and we are currently testing Java 21 and Payara 7.2026.1 in https://github.com/IQSS/dataverse/pull/12043 which is expected to be part of Dataverse 6.10. While many of the changes in that PR are to documentation and install scripts, if you look through it, you’ll see that there are some ~minor code changes needed to work with Payara 7. If you want to update to 7 early, I expect you’d need to make those changes. (If anyone discovers that this applies to Dataverse rather than just the Payara admin interface, we can potentially back-port these changes to 6.9, etc.)
Thanks,
-- Jim
--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
dataverse-commu...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/dataverse-community/389c3678850e403d80d2ea00fe1f296e%40tu-braunschweig.de.