In Eclipse Glassfish versions before 7.0.17, The Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is '/management/domain'. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
History

Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
References

Mon, 07 Oct 2024 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse
Eclipse glassfish
Weaknesses CWE-601
CPEs cpe:2.3:a:eclipse:glassfish:*:*:*:*:*:*:*:*
Vendors & Products Eclipse
Eclipse glassfish
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}


Mon, 30 Sep 2024 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse Foundation
Eclipse Foundation glassfish
CPEs cpe:2.3:a:eclipse_foundation:glassfish:*:*:*:*:*:*:*:*
Vendors & Products Eclipse Foundation
Eclipse Foundation glassfish
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 30 Sep 2024 07:30:00 +0000

Type Values Removed Values Added
Description In Eclipse Glassfish versions before 7.0.17, The Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is '/management/domain'. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
Title Glassfish redirect to untrusted site
Weaknesses CWE-233
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published: 2024-09-30T07:11:53.688Z

Updated: 2024-10-07T15:59:12.662Z

Reserved: 2024-09-29T16:38:56.846Z

Link: CVE-2024-9329

cve-icon Vulnrichment

Updated: 2024-10-07T15:59:12.662Z

cve-icon NVD

Status : Modified

Published: 2024-09-30T08:15:05.690

Modified: 2024-11-21T09:54:17.147

Link: CVE-2024-9329

cve-icon Redhat

No data.