CVE-2026-12606:
Glassfish Análisis y mitigación de vulnerabilidades
Vista general
CVE-2026-12606 is an HTTP request smuggling vulnerability in Eclipse Grizzly caused by improper parsing of malformed trailer header lines. It affects Eclipse Grizzly versions 4.0.0 through 4.0.2 and 5.0.0 through 5.0.1 (i.e., before 5.0.2). The vulnerability was published on July 14, 2026, by the Eclipse Foundation. It carries a CVSS v3.1 base score of 5.3 (Medium) and a CVSS v4.0 base score of 6.3 (Medium) (GitHub Advisory, Eclipse GitLab).
Técnicas
The root cause is classified as CWE-444 (Inconsistent Interpretation of HTTP Requests / HTTP Request Smuggling). Eclipse Grizzly fails to correctly parse the trailer section when HTTP trailer headers are malformed, creating an ambiguity in how the request boundaries are interpreted between Grizzly and any downstream systems or proxies. An unauthenticated, remote attacker can exploit this by sending specially crafted HTTP requests with malformed trailer headers, causing the server and downstream components to disagree on where one request ends and another begins. No authentication or user interaction is required, though the CVSS v4.0 metric notes that attack requirements (specific deployment conditions) must be present (GitHub Advisory, Eclipse GitLab).
Impacto
Successful exploitation allows an unauthenticated attacker to inject or smuggle malicious HTTP requests into the processing pipeline, potentially bypassing security controls such as web application firewalls or access control mechanisms. The primary impact is on integrity (unauthorized modification or injection of request data), with no direct confidentiality or availability impact assessed. In multi-tier architectures where Grizzly acts as a front-end or intermediary, smuggled requests could be interpreted as legitimate requests by backend systems, enabling session hijacking, cache poisoning, or unauthorized access to restricted resources (GitHub Advisory, Eclipse GitLab).
Pasos de explotación
- Reconnaissance: Identify internet-facing services running Eclipse Grizzly versions 4.0.0–4.0.2 or 5.0.0–5.0.1, particularly those deployed behind reverse proxies or load balancers that may interpret HTTP differently.
- Craft malformed trailer header: Construct an HTTP/1.1 request using chunked transfer encoding that includes a malformed trailer header section — for example, a trailer line with an invalid format that Grizzly cannot correctly parse but a downstream system may interpret differently.
- Send smuggled request: Transmit the crafted request to the Grizzly-based server. The malformed trailer causes Grizzly to misidentify the boundary between requests, allowing a second, hidden request to be embedded within the body of the first.
- Achieve objective: The smuggled request is forwarded to and processed by the downstream system as a separate, attacker-controlled request — potentially bypassing authentication checks, poisoning shared caches, or hijacking another user's session depending on the deployment architecture (GitHub Advisory, Eclipse GitLab).
Indicadores de compromiso
- Network: Unusual HTTP/1.1 chunked-encoding requests with malformed or unexpected trailer headers sent to Grizzly-based endpoints; requests where the
Content-LengthandTransfer-Encodingheaders conflict or where trailer sections contain syntactically invalid lines. - Logs: Access logs showing unexpected or duplicate request processing for a single connection; backend application logs recording requests that do not correspond to any client-visible activity; anomalous HTTP 400/500 responses from downstream systems following well-formed client requests.
- Application Behavior: Unexpected session crossover or access control bypass events in application logs; cache entries containing attacker-injected content; discrepancies between front-end and back-end request logs for the same connection.
Mitigación y soluciones alternativas
The Eclipse Foundation has released Eclipse Grizzly 5.0.2 as the patched version, which correctly handles malformed trailer header lines. Users running the 4.x branch (4.0.0–4.0.2) should upgrade to 5.0.2 or later, as no patch for the 4.x branch is indicated. As a network-level workaround, deploying strict HTTP header validation and request filtering at the perimeter (e.g., via a WAF configured to reject malformed chunked-encoding or trailer headers) can reduce exposure. Upgrading to 5.0.2 or later is the recommended and definitive remediation (GitHub Advisory, Eclipse GitLab).
Recursos adicionales
Fuente: Este informe se generó utilizando IA
Relacionado Glassfish Vulnerabilidades:
Evaluación gratuita de vulnerabilidades
Compare su postura de seguridad en la nube
Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.
Recursos adicionales de Wiz
Obtén una demostración personalizada
¿Listo para ver a Wiz en acción?
"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."