Platform
java
Component
org.glassfish.main.admingui:console-common
Fixed in
6.2.6
6.2.6
CVE-2024-9408 describes a Server Side Request Forgery (SSRF) vulnerability discovered in Eclipse GlassFish. This flaw allows attackers to manipulate the application into making requests to unintended internal or external resources, potentially leading to data exposure or further exploitation. The vulnerability impacts GlassFish versions 6.2.5 and earlier, and a fix is available in version 6.2.6.
The SSRF vulnerability in GlassFish allows an attacker to craft malicious requests that the server will execute on behalf of the attacker. This can be used to scan internal networks, access sensitive data stored within the GlassFish environment (such as configuration files or database credentials), or even interact with other internal services. Successful exploitation could lead to unauthorized access to internal resources, data breaches, and potentially, a foothold for further attacks within the network. While direct remote code execution is unlikely, the ability to interact with internal services through SSRF can be a significant risk, especially in environments with poorly secured internal systems.
CVE-2024-9408 was published on 2025-07-16. There is currently no indication of active exploitation in the wild. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The SSRF vulnerability type is commonly exploited, and while no immediate exploitation is observed, it remains a potential risk.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
The primary mitigation for CVE-2024-9408 is to upgrade to GlassFish version 6.2.6 or later, which includes the necessary fix. If upgrading immediately is not possible, consider implementing temporary workarounds. These may include restricting outbound network access from the GlassFish server using a firewall or proxy server, limiting the endpoints accessible through the admin console, and carefully reviewing and restricting any user-supplied input that could be used to construct malicious requests. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability using the previously identified attack vectors and verifying that the requests are now blocked or redirected.
Update Eclipse GlassFish to a version later than 6.2.5 that has addressed the Server Side Request Forgery (SSRF) vulnerability. Consult the release notes and security updates provided by Eclipse Foundation for specific upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-9408 is a Server Side Request Forgery vulnerability affecting GlassFish versions up to 6.2.5, allowing attackers to make requests on behalf of the server.
You are affected if you are running Eclipse GlassFish version 6.2.5 or earlier. Upgrade to 6.2.6 or later to mitigate the risk.
Upgrade to GlassFish version 6.2.6 or later. As a temporary workaround, restrict outbound network access and limit accessible endpoints.
There is currently no indication of active exploitation in the wild, but the vulnerability remains a potential risk.
Refer to the official Eclipse GlassFish security advisories for detailed information and updates: https://glassfish.org/security
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.