CVE-2026-12606
Glassfish Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-12606 is an HTTP request smuggling vulnerability in Eclipse Grizzly caused by improper parsing of malformed trailer header lines. It affects Eclipse Grizzly versions 4.0.0 through 4.0.2 and 5.0.0 through 5.0.1 (i.e., before 5.0.2). The vulnerability was published on July 14, 2026, by the Eclipse Foundation. It carries a CVSS v3.1 base score of 5.3 (Medium) and a CVSS v4.0 base score of 6.3 (Medium) (GitHub Advisory, Eclipse GitLab).

Détails techniques

The root cause is classified as CWE-444 (Inconsistent Interpretation of HTTP Requests / HTTP Request Smuggling). Eclipse Grizzly fails to correctly parse the trailer section when HTTP trailer headers are malformed, creating an ambiguity in how the request boundaries are interpreted between Grizzly and any downstream systems or proxies. An unauthenticated, remote attacker can exploit this by sending specially crafted HTTP requests with malformed trailer headers, causing the server and downstream components to disagree on where one request ends and another begins. No authentication or user interaction is required, though the CVSS v4.0 metric notes that attack requirements (specific deployment conditions) must be present (GitHub Advisory, Eclipse GitLab).

Impact

Successful exploitation allows an unauthenticated attacker to inject or smuggle malicious HTTP requests into the processing pipeline, potentially bypassing security controls such as web application firewalls or access control mechanisms. The primary impact is on integrity (unauthorized modification or injection of request data), with no direct confidentiality or availability impact assessed. In multi-tier architectures where Grizzly acts as a front-end or intermediary, smuggled requests could be interpreted as legitimate requests by backend systems, enabling session hijacking, cache poisoning, or unauthorized access to restricted resources (GitHub Advisory, Eclipse GitLab).

Étapes d’exploitation

  1. Reconnaissance: Identify internet-facing services running Eclipse Grizzly versions 4.0.0–4.0.2 or 5.0.0–5.0.1, particularly those deployed behind reverse proxies or load balancers that may interpret HTTP differently.
  2. Craft malformed trailer header: Construct an HTTP/1.1 request using chunked transfer encoding that includes a malformed trailer header section — for example, a trailer line with an invalid format that Grizzly cannot correctly parse but a downstream system may interpret differently.
  3. Send smuggled request: Transmit the crafted request to the Grizzly-based server. The malformed trailer causes Grizzly to misidentify the boundary between requests, allowing a second, hidden request to be embedded within the body of the first.
  4. Achieve objective: The smuggled request is forwarded to and processed by the downstream system as a separate, attacker-controlled request — potentially bypassing authentication checks, poisoning shared caches, or hijacking another user's session depending on the deployment architecture (GitHub Advisory, Eclipse GitLab).

Indicateurs de compromis

  • Network: Unusual HTTP/1.1 chunked-encoding requests with malformed or unexpected trailer headers sent to Grizzly-based endpoints; requests where the Content-Length and Transfer-Encoding headers conflict or where trailer sections contain syntactically invalid lines.
  • Logs: Access logs showing unexpected or duplicate request processing for a single connection; backend application logs recording requests that do not correspond to any client-visible activity; anomalous HTTP 400/500 responses from downstream systems following well-formed client requests.
  • Application Behavior: Unexpected session crossover or access control bypass events in application logs; cache entries containing attacker-injected content; discrepancies between front-end and back-end request logs for the same connection.

Atténuation et solutions de contournement

The Eclipse Foundation has released Eclipse Grizzly 5.0.2 as the patched version, which correctly handles malformed trailer header lines. Users running the 4.x branch (4.0.0–4.0.2) should upgrade to 5.0.2 or later, as no patch for the 4.x branch is indicated. As a network-level workaround, deploying strict HTTP header validation and request filtering at the perimeter (e.g., via a WAF configured to reject malformed chunked-encoding or trailer headers) can reduce exposure. Upgrading to 5.0.2 or later is the recommended and definitive remediation (GitHub Advisory, Eclipse GitLab).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Glassfish Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-2587CRITICAL9.6
  • Java logoJava
  • org.glassfish.jsftemplating:jsftemplating
NonOuiMay 19, 2026
CVE-2026-2586CRITICAL9.1
  • Java logoJava
  • glassfish
NonOuiMay 19, 2026
CVE-2024-9408HIGH8.9
  • Java logoJava
  • org.glassfish.main.admingui:console-common
NonNonJul 16, 2025
CVE-2026-12606MEDIUM6.3
  • Glassfish logoGlassfish
  • grizzly
NonOuiJul 14, 2026
CVE-2024-9343MEDIUM6.1
  • Java logoJava
  • org.glassfish.main.admingui:console-common
NonNonJul 16, 2025

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités