CVE-2024-9408
Java Análisis y mitigación de vulnerabilidades

Vista general

CVE-2024-9408 is a Server-Side Request Forgery (SSRF) vulnerability in Eclipse GlassFish that allows unauthenticated remote attackers to exploit specific endpoints to perform SSRF attacks. The vulnerability affects Eclipse GlassFish version 6.2.5 and earlier (since version 6.2.5), specifically in the org.glassfish.main.admingui:console-common Maven package. It was published on July 16, 2025, with the GitHub Advisory updated on July 18, 2025. The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical) and a CVSS v4.0 base score of 8.9 (High) (GitHub Advisory, Red Hat CVE).

Técnicas

The vulnerability is classified as CWE-918 (Server-Side Request Forgery), where the GlassFish web server fails to sufficiently validate or restrict URLs or requests received from upstream components before forwarding them to downstream systems (GitHub Advisory). The flaw resides in specific endpoints of the GlassFish Admin Console (console-common component), which can be abused to cause the server to issue crafted requests to arbitrary internal or external destinations. Exploitation requires no authentication, no user interaction, and no special privileges, making it trivially accessible over the network. No public proof-of-concept code has been identified at this time (Red Hat CVE).

Impacto

Successful exploitation allows an attacker to manipulate the GlassFish server into issuing requests to internal network resources that would otherwise be inaccessible, potentially exposing sensitive internal services, metadata endpoints (e.g., cloud instance metadata), or backend APIs. The CVSS v4.0 scoring reflects high confidentiality impact on both the vulnerable and subsequent systems, indicating significant risk of information disclosure across network boundaries. In cloud or containerized environments, this could enable access to instance metadata services, internal credentials, or facilitate lateral movement to other internal systems (GitHub Advisory, Red Hat CVE).

Pasos de explotación

  1. Reconnaissance: Identify internet-facing Eclipse GlassFish instances running version 6.2.5 or earlier using tools like Shodan or Censys, searching for GlassFish Admin Console banners or default ports (4848 for admin, 8080/8181 for HTTP/HTTPS).
  2. Identify vulnerable endpoints: Enumerate the GlassFish Admin Console endpoints associated with the console-common component that handle server-side URL requests or proxy-like functionality.
  3. Craft SSRF payload: Construct an HTTP request to a vulnerable endpoint that includes a manipulated URL parameter pointing to an internal target (e.g., http://169.254.169.254/latest/meta-data/ for cloud metadata, or internal service addresses like http://internal-db:5432/).
  4. Submit the request: Send the crafted request to the GlassFish server without authentication. The server processes the attacker-supplied URL and issues a request to the specified internal destination.
  5. Retrieve response: Analyze the server's response for data returned from the internal resource, enabling information disclosure, credential harvesting, or further internal network mapping (GitHub Advisory).

Indicadores de compromiso

  • Network: Outbound HTTP/HTTPS requests from the GlassFish server process to internal IP ranges (RFC 1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or cloud metadata endpoints (169.254.169.254); unexpected connections to non-standard internal ports originating from the GlassFish process.
  • Logs: GlassFish access logs showing repeated or unusual requests to Admin Console endpoints (/console-common or related paths) with URL-like parameters; server-side error logs indicating failed connection attempts to internal hosts.
  • Process: Unusual outbound network connections initiated by the GlassFish JVM process (java) to internal services or metadata endpoints not part of normal application behavior.

Mitigación y soluciones alternativas

The GitHub Advisory notes that no patched version has been formally published for the org.glassfish.main.admingui:console-common package as of the advisory date, with all versions up to and including 6.2.5 listed as affected (GitHub Advisory). Organizations should monitor the Eclipse GlassFish project for an updated release and upgrade as soon as a patched version becomes available. In the interim, recommended mitigations include: (1) restricting network access to the GlassFish Admin Console (port 4848) to trusted IP addresses only; (2) implementing egress filtering on the GlassFish server to block outbound requests to internal network ranges and cloud metadata endpoints; (3) applying network segmentation to limit the blast radius of potential SSRF exploitation; and (4) conducting regular audits of server-side request handling in deployed GlassFish configurations (Red Hat CVE).

Recursos adicionales


FuenteEste informe se generó utilizando IA

Relacionado Java Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2026-50270HIGH7.5
  • Java logoJava
  • com.datadoghq:dd-java-agent
NoJul 15, 2026
CVE-2026-59955HIGH7.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NoJul 15, 2026
CVE-2026-59954HIGH7.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NoNoJul 15, 2026
CVE-2026-44891HIGH7.5
  • Java logoJava
  • pinot
NoJul 14, 2026
CVE-2025-32781MEDIUM6.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NoJul 15, 2026

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades