CVE-2024-9342

Summary

In Eclipse GlassFish versions before 8.0.3 it is possible to perform Login Brute Force attacks as there is no limitation in the number of failed login attempts. GlassFish 8.0.3 adds automatic attack protection documented in https://glassfish.org/docs/latest/security-guide.html#brute-force-attack-protection .

Affected Software

VendorProductVersion RangeStatus
Eclipse FoundationEclipse Glassfish5.1.0affected
Eclipse FoundationEclipse Glassfish6.0.0 <= 6.2.5affected
Eclipse FoundationEclipse Glassfish7.0.0 <= 7.0.25affected
Eclipse FoundationEclipse Glassfish7.1.0affected
Eclipse FoundationEclipse Glassfish8.0.0 < 8.0.3affected

Weaknesses

  • CWE-307: CWE-307 Improper Restriction of Excessive Authentication Attempts

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References