In Eclipse Glassfish versions before 7.0.17, the Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is `/management/domain`. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

Affected Packages

Maven org.glassfish.main.admin:rest-service

Affected versions: 0 (fixed in 7.0.17)

Related CVEs

CVE-2024-9329

Key Information

GHSA ID

GHSA-jq3f-mfmg-747x

Published

September 30, 2024 9:30 AM

Last Modified

October 7, 2024 6:52 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.glassfish.main.admin:rest-service

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 7, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.