CVE-2024-9329 — Improper Handling of Parameters in Glassfish

CWE-233 — Improper Handling of Parameters CWE-601 — Open Redirect4 documents4 sources

Severity

6.9MEDIUMNVD

EPSS

0.6%

top 31.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Eclipse Glassfish Eclipse Foundation Glassfish

Timeline

PublishedSep 30

Description

In Eclipse Glassfish versions before 7.0.17, The Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is '/management/domain'. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

▶NVDeclipse/glassfish< 7.0.17

▶CVEListV5eclipse_foundation/glassfish5.1.0 — 7.0.16

Patches

Patch: github.com ↗

🔴Vulnerability Details

CVEList

Glassfish redirect to untrusted site↗2024-09-30

▶

OSV

Eclipse Glassfish improperly handles http parameters↗2024-09-30

▶

GHSA

Eclipse Glassfish improperly handles http parameters↗2024-09-30

▶