CVE-2024-9408

CVE-2024-9408 describes a Server-Side Request Forgery (SSRF) vulnerability in Eclipse GlassFish, affecting versions since 6.2.5. The vulnerability resides in specific endpoints that can be triggered without full administrative privileges, allowing a remote attacker to craft requests that cause the server to make unintended network calls.

Exploitation

An attacker can exploit this by sending a specially crafted HTTP request to the vulnerable endpoint. The attack requires no authentication beyond what is normally available to a user or potentially in an unauthenticated context, depending on the configuration of GlassFish. The attacker's request is forwarded by the server to internal resources, bypassing typical network access controls. The specific endpoints mentioned are documented in the security advisories referenced by the Eclipse Foundation [2][3][4].

Impact

Successfully exploiting this SSRF allows an attacker to scan internal networks from the GlassFish server's perspective, potentially accessing internal services, data, or other resources that are not exposed to the internet. This can lead to further compromise of the internal network.

Mitigation

The Eclipse Foundation has acknowledged the report [4]. Users should upgrade to a patched version of GlassFish beyond 6.2.5, monitor for official security patches, and consider applying network-level access controls to limit the server's outbound connections as a temporary workaround.