CVE-2024-9408
Java Analyse et atténuation des vulnérabilités

Aperçu

CVE-2024-9408 is a Server-Side Request Forgery (SSRF) vulnerability in Eclipse GlassFish that allows unauthenticated remote attackers to exploit specific endpoints to perform SSRF attacks. The vulnerability affects Eclipse GlassFish version 6.2.5 and earlier (since version 6.2.5), specifically in the org.glassfish.main.admingui:console-common Maven package. It was published on July 16, 2025, with the GitHub Advisory updated on July 18, 2025. The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical) and a CVSS v4.0 base score of 8.9 (High) (GitHub Advisory, Red Hat CVE).

Détails techniques

The vulnerability is classified as CWE-918 (Server-Side Request Forgery), where the GlassFish web server fails to sufficiently validate or restrict URLs or requests received from upstream components before forwarding them to downstream systems (GitHub Advisory). The flaw resides in specific endpoints of the GlassFish Admin Console (console-common component), which can be abused to cause the server to issue crafted requests to arbitrary internal or external destinations. Exploitation requires no authentication, no user interaction, and no special privileges, making it trivially accessible over the network. No public proof-of-concept code has been identified at this time (Red Hat CVE).

Impact

Successful exploitation allows an attacker to manipulate the GlassFish server into issuing requests to internal network resources that would otherwise be inaccessible, potentially exposing sensitive internal services, metadata endpoints (e.g., cloud instance metadata), or backend APIs. The CVSS v4.0 scoring reflects high confidentiality impact on both the vulnerable and subsequent systems, indicating significant risk of information disclosure across network boundaries. In cloud or containerized environments, this could enable access to instance metadata services, internal credentials, or facilitate lateral movement to other internal systems (GitHub Advisory, Red Hat CVE).

Étapes d’exploitation

  1. Reconnaissance: Identify internet-facing Eclipse GlassFish instances running version 6.2.5 or earlier using tools like Shodan or Censys, searching for GlassFish Admin Console banners or default ports (4848 for admin, 8080/8181 for HTTP/HTTPS).
  2. Identify vulnerable endpoints: Enumerate the GlassFish Admin Console endpoints associated with the console-common component that handle server-side URL requests or proxy-like functionality.
  3. Craft SSRF payload: Construct an HTTP request to a vulnerable endpoint that includes a manipulated URL parameter pointing to an internal target (e.g., http://169.254.169.254/latest/meta-data/ for cloud metadata, or internal service addresses like http://internal-db:5432/).
  4. Submit the request: Send the crafted request to the GlassFish server without authentication. The server processes the attacker-supplied URL and issues a request to the specified internal destination.
  5. Retrieve response: Analyze the server's response for data returned from the internal resource, enabling information disclosure, credential harvesting, or further internal network mapping (GitHub Advisory).

Indicateurs de compromis

  • Network: Outbound HTTP/HTTPS requests from the GlassFish server process to internal IP ranges (RFC 1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or cloud metadata endpoints (169.254.169.254); unexpected connections to non-standard internal ports originating from the GlassFish process.
  • Logs: GlassFish access logs showing repeated or unusual requests to Admin Console endpoints (/console-common or related paths) with URL-like parameters; server-side error logs indicating failed connection attempts to internal hosts.
  • Process: Unusual outbound network connections initiated by the GlassFish JVM process (java) to internal services or metadata endpoints not part of normal application behavior.

Atténuation et solutions de contournement

The GitHub Advisory notes that no patched version has been formally published for the org.glassfish.main.admingui:console-common package as of the advisory date, with all versions up to and including 6.2.5 listed as affected (GitHub Advisory). Organizations should monitor the Eclipse GlassFish project for an updated release and upgrade as soon as a patched version becomes available. In the interim, recommended mitigations include: (1) restricting network access to the GlassFish Admin Console (port 4848) to trusted IP addresses only; (2) implementing egress filtering on the GlassFish server to block outbound requests to internal network ranges and cloud metadata endpoints; (3) applying network segmentation to limit the blast radius of potential SSRF exploitation; and (4) conducting regular audits of server-side request handling in deployed GlassFish configurations (Red Hat CVE).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Java Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-50270HIGH7.5
  • Java logoJava
  • com.datadoghq:dd-java-agent
NonOuiJul 15, 2026
CVE-2026-59955HIGH7.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NonOuiJul 15, 2026
CVE-2026-59954HIGH7.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NonNonJul 15, 2026
CVE-2026-44891HIGH7.5
  • Java logoJava
  • pinot
NonOuiJul 14, 2026
CVE-2025-32781MEDIUM6.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NonOuiJul 15, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités