CVE-2018-14324

CWE-798 — Hard-coded Credentials4 documents4 sources

Severity

9.8CRITICAL

EPSS

1.2%

top 20.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Oracle Glassfish Server

Timeline

PublishedJul 16

Latest updateMay 14

Description

The demo feature in Oracle GlassFish Open Source Edition 5.0 has TCP port 7676 open by default with a password of admin for the admin account. This allows remote attackers to obtain potentially sensitive information, perform database operations, or manipulate the demo via a JMX RMI session, aka a "jmx_rmi remote monitoring and control problem." NOTE: this is not an Oracle supported product.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDoracle/glassfish_server5.0

🔴Vulnerability Details

GHSA

GHSA-q577-wwww-c57j: The demo feature in Oracle GlassFish Open Source Edition 5↗2022-05-14

▶

OSV

CVE-2018-14324: The demo feature in Oracle GlassFish Open Source Edition 5↗2018-07-16

▶

CVEList

CVE-2018-14324: The demo feature in Oracle GlassFish Open Source Edition 5↗2018-07-16

▶