Eclipse Glassfish vulnerabilities

CVE-2024-9408 [HIGH] CWE-918 CVE-2024-9408: In Eclipse GlassFish since version 6.2.5 it is possible to perform a Server Side Request Forgery att In Eclipse GlassFish since version 6.2.5 it is possible to perform a Server Side Request Forgery attack in specific endpoints.

CVE-2024-10032 [MEDIUM] CWE-79 CVE-2024-10032: In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in th In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in the Administration Console.

CVE-2024-10029 [MEDIUM] CWE-79 CVE-2024-10029: In Eclipse GlassFish version 7.0.15 is possible to perform Reflected Cross-site scripting attacks in In Eclipse GlassFish version 7.0.15 is possible to perform Reflected Cross-site scripting attacks in the Administration Console.

CVE-2024-9342 [MEDIUM] CWE-307 CVE-2024-9342: In Eclipse GlassFish version 7.0.16 or earlier it is possible to perform Login Brute Force attacks a In Eclipse GlassFish version 7.0.16 or earlier it is possible to perform Login Brute Force attacks as there is no limitation in the number of failed login attempts.

CVE-2024-9343 [MEDIUM] CWE-79 CVE-2024-9343: In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in th In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in the Administration Console.

CVE-2024-10031 [MEDIUM] CWE-79 CVE-2024-10031: In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site Scripting attacks by mo In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site Scripting attacks by modifying the configuration file in the underlying operating system.

CVE-2024-9329 [MEDIUM] CWE-233 CVE-2024-9329: In Eclipse Glassfish versions before 7.0.17, The Host HTTP parameter could cause the web application In Eclipse Glassfish versions before 7.0.17, The Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is '/management/domain'. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

CVE-2024-8646 [MEDIUM] CVE-2024-8646: In Eclipse Glassfish versions prior to 7.0.10, a URL redirection vulnerability to untrusted sites ex In Eclipse Glassfish versions prior to 7.0.10, a URL redirection vulnerability to untrusted sites existed. This vulnerability is caused by the vulnerability (CVE-2023-41080) in the Apache code included in GlassFish. This vulnerability only affects applications that are explicitly deployed to the root context ('/').

CVE-2023-5763 [CRITICAL] CWE-20 CVE-2023-5763: In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or < 7u201, or < 8u In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or < 7u201, or < 8u191), allows remote attackers to load malicious code on the server via access to insecure ORB listeners.

CVE-2022-2712 [HIGH] CWE-22 CVE-2022-2712: In Eclipse GlassFish versions 5.1.0 to 6.2.5, there is a vulnerability in relative path traversal be In Eclipse GlassFish versions 5.1.0 to 6.2.5, there is a vulnerability in relative path traversal because it does not filter request path starting with './'. Successful exploitation could allow an remote unauthenticated attacker to access critical data, such as configuration files and deployed application source code.