CVE-2011-5035

Oracle Glassfish < 3.1.1 - Denial of Service via Predictable Hash Collisions

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2011-5035. PoCs published by rgod, Alexander Klink, Julian Waelde, Scott A. Crosby, Dan S. Wallach, Krzysztof Kotowicz, Christian Mehlmauer, including Metasploit module auxiliary/dos/http/hashcollision_dos.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in MyBulletinBoard (MyBB) <= 1.1.5 via the CLIENT-IP HTTP header, allowing an attacker to retrieve the admin login key and create a new admin user.

Description

Oracle Glassfish 2.1.1, 3.0.1, and 3.1.1, as used in Communications Server 2.0, Sun Java System Application Server 8.1 and 8.2, and possibly other products, computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters, aka Oracle security ticket S0104869.

Exploits (2)

exploitdb WORKING POC VERIFIED

by rgod · phpwebappsphp

https://www.exploit-db.com/exploits/2012

View Code ZIP pw:eip

This exploit demonstrates a SQL injection vulnerability in MyBulletinBoard (MyBB) <= 1.1.5 via the CLIENT-IP HTTP header, allowing an attacker to retrieve the admin login key and create a new admin user.

Classification

Working Poc 100%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: MyBulletinBoard (MyBB) <= 1.1.5

No auth needed

Prerequisites: Network access to the target MyBB installation

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC

by Alexander Klink, Julian Waelde, Scott A. Crosby, Dan S. Wallach, Krzysztof Kotowicz, Christian Mehlmauer · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/http/hashcollision_dos.rb

View Code ZIP pw:eip

This Metasploit module exploits a hash collision vulnerability in PHP and Java web servers by generating a large number of POST parameters with colliding hash values, causing excessive CPU consumption and a denial-of-service condition.

Classification

Working Poc 100%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: PHP + httpd, Tomcat, Glassfish, Geronimo

No auth needed

Prerequisites: network access to target web server

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Jun 05, 2026 Full analysis →

References (25)

Core 25

Core References

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2013-1455.html

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2012-0514.html

Third Party Advisory vendor-advisory x_refsource_gentoo

http://security.gentoo.org/glsa/glsa-201406-32.xml

Vendor Advisory x_refsource_confirm

http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html

Vendor Advisory x_refsource_confirm

http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/48074

Mailing List vendor-advisory x_refsource_hp

http://marc.info/?l=bugtraq&m=133847939902305&w=2

Various Sources x_refsource_misc

https://github.com/FireFart/HashCollision-DOS-POC/blob/master/HashtablePOC.py

View Writeup ZIP pw:eip

Mailing List vendor-advisory x_refsource_hp

http://marc.info/?l=bugtraq&m=134254866602253&w=2

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/48589

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16908

Various Sources x_refsource_misc

http://www.nruns.com/_downloads/advisory28122011.pdf

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00010.html

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/48073

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/48950

Mailing List vendor-advisory x_refsource_hp

http://marc.info/?l=bugtraq&m=133364885411663&w=2

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/57126

US Government Resource third-party-advisory x_refsource_cert-vn

http://www.kb.cert.org/vuls/id/903934

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2012/dsa-2420

Mailing List vendor-advisory x_refsource_hp

http://marc.info/?l=bugtraq&m=134254957702612&w=2

Vendor Advisory x_refsource_confirm

http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html

Third Party Advisory mailing-list x_refsource_bugtraq

http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html

Vendor Advisory vendor-advisory x_refsource_mandriva

http://www.mandriva.com/security/advisories?name=MDVSA-2013:150

Mailing List vendor-advisory x_refsource_hp

http://marc.info/?l=bugtraq&m=139344343412337&w=2

Various Sources x_refsource_misc

http://www.ocert.org/advisories/ocert-2011-003.html

Scores

EPSS 0.6891

EPSS Percentile 99.3%

Details

CWE

CWE-20

Status published

Products (3)

oracle/glassfish_server 2.1.1

oracle/glassfish_server 3.0.1

oracle/glassfish_server < 3.1.1

Published Dec 30, 2011

Tracked Since Feb 18, 2026