Impact
A critical vulnerability allows remote attackers to execute arbitrary code on Glassfish servers running the gadget handler, due to the server‑side template rendering mechanism that processes .xml files. The handler evaluates user‑supplied values as Expression Language (EL) expressions without sanitization or escaping. Injecting expressions such as #{7*7} shows that the server evaluates these expressions, returning 49, confirming arbitrary EL inclusion. This flaw, classified as CWE‑917, can fully compromise the host, enabling data read/write, command execution, persistence, and lateral movement.
Affected Systems
The flaw affects Eclipse GlassFish servers in the following versions: from 8.0.0 through 8.0.1, fixed in 8.0.2; 7.1.0, fixed in 7.1.1; from 7.0.0 through 7.0.25, fixed in 7.0.26. Versions 5.1.0 to 6.2.5 are not confirmed to be affected, and the impact of the vulnerability on those releases is unknown.
Risk and Exploitability
The CVSS score of 9.6 places this issue in the critical severity range, indicating a high impact if exploited. The EPSS score is < 1%, yet the absence of mitigation and the nature of the flaw suggest a substantial exploitation likelihood for an attacker with the ability to supply XML files. The vulnerability is not listed in the CISA KEV catalog, meaning there is no confirmed public exploitation yet, but the inherent risk remains significant. The most likely attack vector involves a remote attacker uploading a crafted XML file or otherwise feeding malicious EL expressions to the gadget handler, which the server then evaluates in a privileged context.
OpenCVE Enrichment
Github GHSA