平台
java
组件
glowxq-oj
修复版本
6.0.1
A server-side request forgery (SSRF) vulnerability has been identified in glowxq glowxq-oj, affecting versions up to 6f7c723090472057252040fd2bbbdaa1b5ed2393. This flaw resides within the uploadTestcaseZipUrl function, allowing attackers to potentially manipulate server requests. Due to the product's continuous delivery model, specific affected and updated versions are not readily available. Immediate attention and mitigation are crucial.
The SSRF vulnerability in glowxq-oj allows an attacker to craft malicious requests that the server will execute on its behalf. This can lead to unauthorized access to internal resources, such as internal APIs, databases, or cloud services that are not directly accessible from the outside world. An attacker could potentially read sensitive data, modify configurations, or even gain a foothold within the internal network. The availability of a public exploit significantly elevates the risk, as it lowers the barrier to entry for malicious actors. The impact is amplified if the glowxq-oj instance is exposed to the internet or interacts with other sensitive systems.
This vulnerability has been publicly disclosed and a proof-of-concept exploit is available, indicating a high probability of exploitation. The vulnerability is not currently listed on CISA KEV, but the public availability of the exploit warrants close monitoring. Attackers may leverage the exploit to gain unauthorized access to internal resources and potentially compromise the entire system. The rapid release of the exploit suggests that attackers are actively targeting this vulnerability.
Organizations utilizing glowxq-oj in production environments, particularly those with continuous delivery pipelines, are at risk. Environments with limited network segmentation or exposed internal services are especially vulnerable. Shared hosting environments where multiple users share the same glowxq-oj instance also face increased risk.
• java / server:
# Monitor for suspicious outbound requests to internal resources
grep -i "internal.example.com" /var/log/access.log• generic web:
# Check for unusual HTTP requests in access logs
curl -I <glowxq-oj_url>/business/business-oj/src/main/java/com/glowxq/oj/problem/controller/ProblemCaseController.java | grep -i "Server:"disclosure
漏洞利用状态
EPSS
0.05% (15% 百分位)
CISA SSVC
CVSS 向量
Given the continuous delivery model of glowxq-oj, traditional version-based patching is not applicable. The primary mitigation strategy is to immediately upgrade to the latest available release. Implement strict input validation on all user-supplied data, particularly URLs, to prevent malicious manipulation. Consider deploying a Web Application Firewall (WAF) with SSRF protection rules to filter out potentially harmful requests. Restrict network access to the glowxq-oj instance to only necessary ports and services. After upgrading, verify the fix by attempting to trigger the SSRF vulnerability with a known malicious URL and confirming that the request is blocked or handled safely.
升级到修复了 服务器端请求伪造 (Server-Side Request Forgery, SSRF) 漏洞的已修复版本。由于没有可用的特定修复版本,建议联系供应商以获取解决方案或采取额外的安全措施来防止 SSRF 攻击。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-4200 is a server-side request forgery vulnerability in glowxq-oj versions up to 6f7c723090472057252040fd2bbbdaa1b5ed2393, allowing attackers to manipulate server requests and potentially access internal resources.
If you are using glowxq-oj versions up to 6f7c723090472057252040fd2bbbdaa1b5ed2393, you are potentially affected by this SSRF vulnerability. Due to the continuous delivery model, confirm with the vendor for the latest release.
Upgrade to the latest available release of glowxq-oj as soon as possible. Implement input validation and consider using a WAF with SSRF protection.
Yes, a public exploit is available, indicating active exploitation is likely and increasing the risk.
Consult the glowxq-oj official website or communication channels for the latest advisory regarding CVE-2026-4200.
上传你的 pom.xml 文件,立即知道是否受影响。