Plateforme
java
Composant
glowxq-oj
Corrigé dans
6.0.1
A server-side request forgery (SSRF) vulnerability has been identified in glowxq glowxq-oj, affecting versions up to 6f7c723090472057252040fd2bbbdaa1b5ed2393. This flaw resides within the uploadTestcaseZipUrl function, allowing attackers to potentially manipulate server requests. Due to the product's continuous delivery model, specific affected and updated versions are not readily available. Immediate attention and mitigation are crucial.
The SSRF vulnerability in glowxq-oj allows an attacker to craft malicious requests that the server will execute on its behalf. This can lead to unauthorized access to internal resources, such as internal APIs, databases, or cloud services that are not directly accessible from the outside world. An attacker could potentially read sensitive data, modify configurations, or even gain a foothold within the internal network. The availability of a public exploit significantly elevates the risk, as it lowers the barrier to entry for malicious actors. The impact is amplified if the glowxq-oj instance is exposed to the internet or interacts with other sensitive systems.
This vulnerability has been publicly disclosed and a proof-of-concept exploit is available, indicating a high probability of exploitation. The vulnerability is not currently listed on CISA KEV, but the public availability of the exploit warrants close monitoring. Attackers may leverage the exploit to gain unauthorized access to internal resources and potentially compromise the entire system. The rapid release of the exploit suggests that attackers are actively targeting this vulnerability.
Organizations utilizing glowxq-oj in production environments, particularly those with continuous delivery pipelines, are at risk. Environments with limited network segmentation or exposed internal services are especially vulnerable. Shared hosting environments where multiple users share the same glowxq-oj instance also face increased risk.
• java / server:
# Monitor for suspicious outbound requests to internal resources
grep -i "internal.example.com" /var/log/access.log• generic web:
# Check for unusual HTTP requests in access logs
curl -I <glowxq-oj_url>/business/business-oj/src/main/java/com/glowxq/oj/problem/controller/ProblemCaseController.java | grep -i "Server:"disclosure
Statut de l'Exploit
EPSS
0.05% (percentile 15%)
CISA SSVC
Vecteur CVSS
Given the continuous delivery model of glowxq-oj, traditional version-based patching is not applicable. The primary mitigation strategy is to immediately upgrade to the latest available release. Implement strict input validation on all user-supplied data, particularly URLs, to prevent malicious manipulation. Consider deploying a Web Application Firewall (WAF) with SSRF protection rules to filter out potentially harmful requests. Restrict network access to the glowxq-oj instance to only necessary ports and services. After upgrading, verify the fix by attempting to trigger the SSRF vulnerability with a known malicious URL and confirming that the request is blocked or handled safely.
Mettre à jour vers une version corrigée qui atténue la vulnérabilité de Server-Side Request Forgery (SSRF). Étant donné qu'aucune version spécifique corrigée n'est disponible, il est recommandé de contacter le fournisseur pour obtenir une solution ou d'appliquer des mesures de sécurité supplémentaires pour prévenir les attaques SSRF.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-4200 is a server-side request forgery vulnerability in glowxq-oj versions up to 6f7c723090472057252040fd2bbbdaa1b5ed2393, allowing attackers to manipulate server requests and potentially access internal resources.
If you are using glowxq-oj versions up to 6f7c723090472057252040fd2bbbdaa1b5ed2393, you are potentially affected by this SSRF vulnerability. Due to the continuous delivery model, confirm with the vendor for the latest release.
Upgrade to the latest available release of glowxq-oj as soon as possible. Implement input validation and consider using a WAF with SSRF protection.
Yes, a public exploit is available, indicating active exploitation is likely and increasing the risk.
Consult the glowxq-oj official website or communication channels for the latest advisory regarding CVE-2026-4200.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier pom.xml et nous te dirons instantanément si tu es affecté.