CVE-2024-9408 – This CVE describes a Server-Side Request Forger... (How to Fix)

Q: What is the severity of CVE-2024-9408?

CVE-2024-9408 has a CVSS score of 9.8 (CRITICAL). This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Eclipse GlassFish application server. Attackers can exploit specific endpoints to make the server send unauthorized requests to internal or external systems. Organizations running vulnerable versions of Eclipse GlassFish are affected.

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Eclipse GlassFish application server. Attackers can exploit specific endpoints to make the server send unauthorized requests to internal or external systems. Organizations running vulnerable versions of Eclipse GlassFish are affected.

💻 Affected Systems

Products:

Eclipse GlassFish

Versions: 6.2.5 and later versions

Operating Systems: All operating systems running GlassFish

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects specific endpoints; not all GlassFish functionality is vulnerable.

📦 What is this software?

Glassfish by Eclipse

View all CVEs affecting Glassfish →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of internal network resources, data exfiltration, or use as pivot point for further attacks on internal systems.

🟠

Likely Case

Unauthorized access to internal services, information disclosure from internal endpoints, or denial of service through resource exhaustion.

🟢

If Mitigated

Limited impact if network segmentation restricts GlassFish server's outbound connectivity and internal service access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SSRF vulnerabilities typically have low exploitation complexity once vulnerable endpoints are identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Eclipse GlassFish security advisories for specific patched version

Vendor Advisory: https://gitlab.eclipse.org/security/cve-assignement/-/issues/38

Restart Required: Yes

Instructions:

1. Check current GlassFish version. 2. Apply latest security patches from Eclipse. 3. Restart GlassFish server. 4. Verify patch application.

🔧 Temporary Workarounds

Endpoint Restriction

all

Restrict access to vulnerable endpoints using web application firewall or reverse proxy rules

Network Segmentation

all

Limit GlassFish server's outbound network connectivity to only required destinations

🧯 If You Can't Patch

Implement strict network egress filtering to limit GlassFish server's outbound connections
Deploy web application firewall with SSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Check GlassFish version and compare against affected versions (6.2.5+). Review endpoint configurations.

Check Version:

asadmin version

Verify Fix Applied:

Verify GlassFish version is updated beyond vulnerable range and test SSRF attempts against known vulnerable endpoints.

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from GlassFish server
Requests to internal IP ranges from GlassFish
Error responses from internal services

Network Indicators:

GlassFish server making unexpected HTTP requests
Traffic to internal services from application server

SIEM Query:

source="glassfish" AND (http_request OR url_contains) AND (dest_ip=private_range OR dest_ip=loopback)

📊 Metadata

CVE ID: CVE-2024-9408

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-918

EPSS Score: 0.06% exploit probability (17.8th percentile)

Published: July 16, 2025

Last Updated: July 16, 2025

🔗 References

https://gitlab.eclipse.org/security/cve-assignement/-/issues/38 Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9408, you might also want to check these: