12 matches found
CVE-2022-2712
Vulnerability: CVE-2022-2712 affects Eclipse GlassFish 5.1.0–6.2.5. Root cause is a relative path traversal flaw that fails to filter request paths starting with './'. Impact stated: remote unauthenticated attacker could access critical data (e.g., configuration files and deployed application sou...
CVE-2023-5763
CVE-2023-5763 affects Eclipse Glassfish 5 and 6 when running on older JDKs (below 6u211, 7u201, or 8u191). The issue enables remote code loading via insecure ORB listeners, with Veracode describing RCE via specially crafted RMI requests to a vulnerable Glassfish server. The root cause is the use ...
CVE-2024-8646
CVE-2024-8646 — Eclipse GlassFish prior to 7.0.10 suffers a URL redirection vulnerability to untrusted sites. The flaw stems from CVE-2023-41080 embedded in the Apache code used by GlassFish and only affects applications deployed to the root context ‘/’. Public details in the connected documents ...
CVE-2024-9329
CVE-2024-9329 affects Eclipse GlassFish prior to 7.0.17. The Host HTTP parameter at the /management/domain endpoint can cause the web application to redirect to an attacker‑controlled URL, enabling phishing and potential credential theft. The reports indicate an Open Redirect risk tied to this pa...
CVE-2026-2587
CVE-2026-2587 describes a critical RCE in the server-side template rendering used by the Glassfish gadget handler. The flaw arises when processing .xml files, evaluating user-supplied values as Expression Language (EL) expressions without proper sanitization, e.g., #{7*7}, enabling server-side EL...
CVE-2026-2586
CVE-2026-2586: An authenticated RCE in GlassFish Administration Console. A user with console access can send crafted requests to execute arbitrary OS commands with the privileges of the application service user. Affected: GlassFish Admin Console. Impact (per provided metrics): high confidentialit...
CVE-2024-10029
CVE-2024-10029 affects Eclipse GlassFish 7.0.15, enabling Reflected XSS in the Administration Console. The vulnerability targets the Admin Console UI (org.glassfish.main.admingui:console-cluster-plugin/console-common) and can be exploited via crafted links to execute scripts in a user’s browser. ...
CVE-2024-9408
Eclipse GlassFish 6.2.5 and later is affected by an SSRF vulnerability in specific endpoints due to insufficient validation of user-supplied URLs. The issue allows the server to initiate arbitrary network requests to internal or external resources. Public sources (including NVD, Red Hat, Veracode...
CVE-2024-10032
CVE-2024-10032 affects Eclipse GlassFish 7.0.15, enabling Stored XSS attacks via the Administration Console. The issue targets the console-administration UI (org.glassfish.main.admingui:console-cluster-plugin) and is described across multiple sources (NVD/Red Hat/OSV/GHSA). The connected data con...
CVE-2024-10031
CVE-2024-10031 describes a Stored Cross-site Scripting (XSS) vulnerability in Eclipse GlassFish 7.0.15 triggered by modifying the underlying OS configuration file. Connected sources consistently report this stored XSS vector affecting GlassFish 7.0.15, with the underlying issue tied to configurat...
CVE-2024-9343
CVE-2024-9343 refers to a Stored XSS vulnerability in Eclipse GlassFish 7.0.15, exposed via the Administration Console. The issue affects the GlassFish admin UI (console-common/admingui) and can allow an attacker to inject scripts that run in a user’s browser when interacting with the console. Te...
CVE-2024-9342
Affected software: Eclipse GlassFish 7.0.16 and earlier. The issue is unlimited failed login attempts, enabling brute-force login; impact per sources includes potential unauthorized access. CVSS metrics in the initial document show high impact confidentiality, integrity, availability with network...