CVE-2024-9329
MEDIUMEclipse Glassfish < 7.0.17 - Open Redirect via Host HTTP Parameter
Title source: llmDescription
In Eclipse Glassfish versions before 7.0.17, The Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is '/management/domain'. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
References (3)
Core 3
Core References
Various Sources
https://www.gruppotim.it/it/footer/red-team.html
Exploit, Patch patch
https://github.com/eclipse-ee4j/glassfish/pull/25106
Exploit, Vendor Advisory issue-tracking
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/232
Scores
CVSS v3
6.1
EPSS
0.0057
EPSS Percentile
69.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-601
CWE-233
Status
published
Products (2)
eclipse/glassfish
< 7.0.17
org.glassfish.main.admin/rest-service
0 - 7.0.17Maven
Published
Sep 30, 2024
Tracked Since
Feb 18, 2026