CVE-2023-5763 - OpenCVE

In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or < 7u201, or < 8u191), allows remote attackers to load malicious code on the server via access to insecure ORB listeners.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Eclipse	Glassfish

Configuration 1 [-]

cpe:2.3:a:eclipse:glassfish:*:*:*:*:*:*:*:*

References

Link	Resource
https://gitlab.eclipse.org/security/cve-assignement/-/issues/14	Issue Tracking Vendor Advisory
https://glassfish.org/docs/latest/security-guide.html#securing-glassfish-server	Product

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: eclipse

Published: 2023-11-03T06:40:43.441Z

Updated: 2023-11-03T06:40:43.441Z

Reserved: 2023-10-25T04:59:21.006Z

Link: CVE-2023-5763

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-11-03T07:15:14.617

Modified: 2023-11-13T19:55:13.637

Link: CVE-2023-5763

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-5763", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "state": "PUBLISHED", "assignerShortName": "eclipse", "dateReserved": "2023-10-25T04:59:21.006Z", "datePublished": "2023-11-03T06:40:43.441Z", "dateUpdated": "2023-11-03T06:40:43.441Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Glassfish", "vendor": "Eclipse Foundation", "versions": [{"lessThanOrEqual": "6.2.5", "status": "affected", "version": "6.0.0", "versionType": "semver"}, {"lessThanOrEqual": "5.1", "status": "affected", "version": "5.0", "versionType": "semver"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Running with older versions of the JDK (lower than 6u211, or < 7u201, or < 8u191)<br>"}], "value": "Running with older versions of the JDK (lower than 6u211, or < 7u201, or < 8u191)\n"}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "tr1ple kurosel (AntGroup FG)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or < 7u201, or < 8u191), allows remote attackers to load malicious code on the server via access to insecure ORB listeners.<br>"}], "value": "In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or < 7u201, or < 8u191), allows remote attackers to load malicious code on the server via access to insecure ORB listeners.\n"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63: Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-913", "description": "CWE-913 Improper Control of Dynamically-Managed Code Resources", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2023-11-03T06:40:43.441Z"}, "references": [{"url": "https://glassfish.org/docs/latest/security-guide.html#securing-glassfish-server"}, {"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/14"}], "source": {"discovery": "UNKNOWN"}, "title": "Glassfish remote code execution", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:glassfish:*:*:*:*:*:*:*:*", "matchCriteriaId": "93671570-13DD-4E0B-B3B0-5343675AF266", "versionEndIncluding": "6.2.5", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or < 7u201, or < 8u191), allows remote attackers to load malicious code on the server via access to insecure ORB listeners.\n"}, {"lang": "es", "value": "En Eclipse Glassfish 5 o 6, ejecutado con versiones antiguas de JDK (inferiores a 6u211, o < 7u201, o < 8u191), permite a atacantes remotos cargar c\u00f3digo malicioso en el servidor mediante el acceso a oyentes ORB inseguros."}], "id": "CVE-2023-5763", "lastModified": "2023-11-13T19:55:13.637", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "emo@eclipse.org", "type": "Secondary"}]}, "published": "2023-11-03T07:15:14.617", "references": [{"source": "emo@eclipse.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/14"}, {"source": "emo@eclipse.org", "tags": ["Product"], "url": "https://glassfish.org/docs/latest/security-guide.html#securing-glassfish-server"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-913"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-913"}], "source": "emo@eclipse.org", "type": "Secondary"}]}