CVE-2024-9329: Eclipse Glassfish improperly handles http parameters

September 30, 2024 (updated October 7, 2024)

In Eclipse Glassfish versions before 7.0.17, the Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is /management/domain. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

References

github.com/advisories/GHSA-jq3f-mfmg-747x
github.com/eclipse-ee4j/glassfish
github.com/eclipse-ee4j/glassfish/commit/6ca35eee2ba90a8108984b27bec33f9cc50cd83b
github.com/eclipse-ee4j/glassfish/pull/25106
gitlab.eclipse.org/security/vulnerability-reports/-/issues/232
nvd.nist.gov/vuln/detail/CVE-2024-9329

Detect and mitigate CVE-2024-9329 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →