Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qcTNmLW1mbWctNzQ3eM4AA_3r
Eclipse Glassfish improperly handles http parameters
In Eclipse Glassfish versions before 7.0.17, the Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is /management/domain. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qcTNmLW1mbWctNzQ3eM4AA_3r
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 months ago
Updated: about 1 month ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-jq3f-mfmg-747x, CVE-2024-9329
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-9329
- https://github.com/eclipse-ee4j/glassfish/pull/25106
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/232
- https://github.com/eclipse-ee4j/glassfish/commit/6ca35eee2ba90a8108984b27bec33f9cc50cd83b
- https://github.com/advisories/GHSA-jq3f-mfmg-747x
Blast Radius: 3.7
Affected Packages
maven:org.glassfish.main.admin:rest-service
Dependent packages: 7Dependent repositories: 5
Downloads:
Affected Version Ranges: < 7.0.17
Fixed in: 7.0.17
All affected versions: 5.1.0, 6.0.0, 6.1.0, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.12, 7.0.13, 7.0.14, 7.0.15, 7.0.16
All unaffected versions: 7.0.17, 7.0.18