CVE-2024-9342 — Eclipse GlassFish is vulnerable to Login Brute Force attacks through unlimited f

Description

In Eclipse GlassFish version 7.0.16 or earlier, it is possible to perform login brute force attacks as there is no limitation on the number of failed login attempts.

How to fix CVE-2024-9342

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

Maven/org.glassfish.main.admingui:console-common—no fix listed

Is CVE-2024-9342 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 7.0.25

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-9342
PATCHgithub.com/eclipse-ee4j/glassfish
WEBgitlab.eclipse.org/security/cve-assignement/-/issues/33
WEBgitlab.eclipse.org/security/vulnerability-reports/-/issues/231