CVE-2024-9342

Vulnerability

Description

CVE-2024-9342 is a missing rate‑limiting mechanism in Eclipse GlassFish versions 7.0.16 and earlier. The application does not restrict the number of failed login attempts, allowing an attacker to send an unlimited number of authentication requests without any throttling or account lockout [2][4].

Exploitation

The vulnerability is exploitable over the network without prior authentication. An attacker only needs to reach the GlassFish administrative or user login interface. Since no built‑in protection against repeated failed attempts exists, automated tools can submit passwords at high speed until the correct credential is found [1][3].

Impact

Successful brute‑force attacks give the attacker the same privileges as the compromised account. For administrative accounts, this means full control over the GlassFish server, including deployment of malicious applications, data access, and configuration changes. The lack of logging of attempted attacks (by default) further hinders detection.

Mitigation

Eclipse GlassFish 7.0.17 is expected to implement configurable rate‑limiting or account lockout. Users of affected versions should upgrade immediately. As a workaround, deploy a reverse proxy (e.g., Nginx or Apache httpd) with request throttling, or enable IP‑based access restrictions [1][2].