glowxq glowxq-oj ProblemCaseController.java uploadTestcaseZipUrl falsification de requête côté serveur
Plateforme
java
Composant
glowxq-oj
Corrigé dans
6.0.1
A server-side request forgery (SSRF) vulnerability has been identified in glowxq glowxq-oj, affecting versions up to 6f7c723090472057252040fd2bbbdaa1b5ed2393. This flaw resides within the uploadTestcaseZipUrl function, allowing attackers to potentially manipulate server requests. Due to the product's continuous delivery model, specific affected and updated versions are not readily available. Immediate attention and mitigation are crucial.
Détecte cette CVE dans ton projet
Téléverse ton fichier pom.xml et nous te dirons instantanément si tu es affecté.
Impact et Scénarios d'Attaquetraduction en cours…
The SSRF vulnerability in glowxq-oj allows an attacker to craft malicious requests that the server will execute on its behalf. This can lead to unauthorized access to internal resources, such as internal APIs, databases, or cloud services that are not directly accessible from the outside world. An attacker could potentially read sensitive data, modify configurations, or even gain a foothold within the internal network. The availability of a public exploit significantly elevates the risk, as it lowers the barrier to entry for malicious actors. The impact is amplified if the glowxq-oj instance is exposed to the internet or interacts with other sensitive systems.
Contexte d'Exploitationtraduction en cours…
This vulnerability has been publicly disclosed and a proof-of-concept exploit is available, indicating a high probability of exploitation. The vulnerability is not currently listed on CISA KEV, but the public availability of the exploit warrants close monitoring. Attackers may leverage the exploit to gain unauthorized access to internal resources and potentially compromise the entire system. The rapid release of the exploit suggests that attackers are actively targeting this vulnerability.
Qui Est à Risquetraduction en cours…
Organizations utilizing glowxq-oj in production environments, particularly those with continuous delivery pipelines, are at risk. Environments with limited network segmentation or exposed internal services are especially vulnerable. Shared hosting environments where multiple users share the same glowxq-oj instance also face increased risk.
Étapes de Détectiontraduction en cours…
• java / server:
# Monitor for suspicious outbound requests to internal resources
grep -i "internal.example.com" /var/log/access.log• generic web:
# Check for unusual HTTP requests in access logs
curl -I <glowxq-oj_url>/business/business-oj/src/main/java/com/glowxq/oj/problem/controller/ProblemCaseController.java | grep -i "Server:"Chronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.05% (percentile 15%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Aucun — sans authentification. Aucune identifiant requis pour exploiter.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Faible — accès partiel ou indirect à certaines données.
- Integrity
- Faible — l'attaquant peut modifier certaines données avec un impact limité.
- Availability
- Faible — déni de service partiel ou intermittent.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
Given the continuous delivery model of glowxq-oj, traditional version-based patching is not applicable. The primary mitigation strategy is to immediately upgrade to the latest available release. Implement strict input validation on all user-supplied data, particularly URLs, to prevent malicious manipulation. Consider deploying a Web Application Firewall (WAF) with SSRF protection rules to filter out potentially harmful requests. Restrict network access to the glowxq-oj instance to only necessary ports and services. After upgrading, verify the fix by attempting to trigger the SSRF vulnerability with a known malicious URL and confirming that the request is blocked or handled safely.
Comment corriger
Mettre à jour vers une version corrigée qui atténue la vulnérabilité de Server-Side Request Forgery (SSRF). Étant donné qu'aucune version spécifique corrigée n'est disponible, il est recommandé de contacter le fournisseur pour obtenir une solution ou d'appliquer des mesures de sécurité supplémentaires pour prévenir les attaques SSRF.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2026-4200 — SSRF in glowxq-oj?
CVE-2026-4200 is a server-side request forgery vulnerability in glowxq-oj versions up to 6f7c723090472057252040fd2bbbdaa1b5ed2393, allowing attackers to manipulate server requests and potentially access internal resources.
Am I affected by CVE-2026-4200 in glowxq-oj?
If you are using glowxq-oj versions up to 6f7c723090472057252040fd2bbbdaa1b5ed2393, you are potentially affected by this SSRF vulnerability. Due to the continuous delivery model, confirm with the vendor for the latest release.
How do I fix CVE-2026-4200 in glowxq-oj?
Upgrade to the latest available release of glowxq-oj as soon as possible. Implement input validation and consider using a WAF with SSRF protection.
Is CVE-2026-4200 being actively exploited?
Yes, a public exploit is available, indicating active exploitation is likely and increasing the risk.
Where can I find the official glowxq-oj advisory for CVE-2026-4200?
Consult the glowxq-oj official website or communication channels for the latest advisory regarding CVE-2026-4200.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.