Impact
This authenticated remote code execution vulnerability occurs in the GlassFish Administration Console. An attacker with console access can send specially crafted requests that trigger the execution of arbitrary operating system commands with the privileges of the application service user. The flaw is a classic OS command injection (CWE-917), allowing arbitrary code execution on the host machine.
Affected Systems
The vulnerability affects Eclipse GlassFish products. Versions 8.0.0 through 8.0.1, 7.1.0, and 7.0.0 through 7.0.25 are affected; these are fixed in 8.0.2, 7.1.1, and 7.0.26 respectively. Versions 5.1.0 to 6.2.5 have an unknown impact.
Risk and Exploitability
The CVSS score of 9.1 indicates a critical level of severity. The EPSS score of 0.00819 indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, implying no confirmed widespread exploitation yet. The likely attack vector requires an attacker to first authenticate to the Administration Console; once authenticated, the attacker can deliver malicious requests that trigger the command execution flaw.
OpenCVE Enrichment
Github GHSA