CVE-2024-9329 – Glassfish redirect to untrusted site
https://notcve.org/view.php?id=CVE-2024-9329
In Eclipse Glassfish versions before 7.0.17, The Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is '/management/domain'. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. • https://github.com/eclipse-ee4j/glassfish/pull/25106 https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/232 • CWE-233: Improper Handling of Parameters •
CVE-2024-8646 – Eclipse Glassfish: URL redirection vulnerability to untrusted sites
https://notcve.org/view.php?id=CVE-2024-8646
In Eclipse Glassfish versions prior to 7.0.10, a URL redirection vulnerability to untrusted sites existed. This vulnerability is caused by the vulnerability (CVE-2023-41080) in the Apache code included in GlassFish. This vulnerability only affects applications that are explicitly deployed to the root context ('/'). • https://github.com/eclipse-ee4j/glassfish/pull/24655 https://gitlab.eclipse.org/security/cve-assignement/-/issues/34 https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/163 https://glassfish.org/download • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2023-5763 – Glassfish remote code execution
https://notcve.org/view.php?id=CVE-2023-5763
In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or < 7u201, or < 8u191), allows remote attackers to load malicious code on the server via access to insecure ORB listeners. En Eclipse Glassfish 5 o 6, ejecutado con versiones antiguas de JDK (inferiores a 6u211, o < 7u201, o < 8u191), permite a atacantes remotos cargar código malicioso en el servidor mediante el acceso a oyentes ORB inseguros. • https://gitlab.eclipse.org/security/cve-assignement/-/issues/14 https://glassfish.org/docs/latest/security-guide.html#securing-glassfish-server • CWE-20: Improper Input Validation CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVE-2022-2712
https://notcve.org/view.php?id=CVE-2022-2712
In Eclipse GlassFish versions 5.1.0 to 6.2.5, there is a vulnerability in relative path traversal because it does not filter request path starting with './'. Successful exploitation could allow an remote unauthenticated attacker to access critical data, such as configuration files and deployed application source code. En las versiones 5.1.0 a 6.2.5 de Eclipse GlassFish, existe una vulnerabilidad en relative path traversal porque no filtra la ruta de solicitud que comienza con './'. Una explotación exitosa podría permitir que un atacante remoto no autenticado acceda a datos críticos, como archivos de configuración y código fuente de aplicaciones implementadas. • https://bugs.eclipse.org/580502 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •