CVE-2017-1000028 in GlassFish Server Open Source Edition
Summary
by MITRE
Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/11/2025
Oracle GlassFish Server Open Source Edition 4.1 contains a critical directory traversal vulnerability that affects both authenticated and unauthenticated access scenarios. This vulnerability stems from insufficient input validation in the HTTP request processing mechanism, allowing attackers to manipulate file path parameters and access arbitrary files on the server filesystem. The flaw exists within the web application container's handling of GET requests where user-supplied path information is not properly sanitized or normalized before being processed. This weakness enables an attacker to traverse directory structures using sequences such as ../ or ..\ to access files outside the intended web root directory. The vulnerability is classified under CWE-22 as Improper Limitation of a Pathname to a Restricted Directory, which represents a fundamental flaw in input validation and access control mechanisms. Attackers can exploit this vulnerability to retrieve sensitive configuration files, source code, database credentials, or other confidential information that should remain protected within the server's restricted directories.
The operational impact of this vulnerability extends beyond simple information disclosure, as it can enable more sophisticated attacks including remote code execution through the access of server configuration files that may contain deployment descriptors or other runtime parameters. An unauthenticated attacker can leverage this vulnerability to perform reconnaissance activities by accessing system files, application logs, or configuration files that reveal system architecture details. When combined with other vulnerabilities or through authenticated access, this flaw can provide attackers with complete system compromise capabilities. The vulnerability affects the core web container functionality and can be exploited through standard HTTP GET requests, making it particularly dangerous as it requires minimal privileges to exploit. According to ATT&CK framework, this vulnerability maps to T1083 (File and Directory Discovery) and T1059 (Command and Scripting Interpreter) as attackers can use the discovered information to plan further attacks or establish persistence mechanisms.
Mitigation strategies for this vulnerability include immediate patching of the GlassFish Server to the latest available version that addresses this directory traversal issue. Organizations should also implement proper input validation and sanitization at all entry points where file paths are processed, ensuring that all user-supplied input is normalized and validated against expected patterns. Network segmentation and access controls should be implemented to limit exposure of the GlassFish server to untrusted networks, while application-level firewalls can be configured to block suspicious path traversal sequences. Regular security assessments and code reviews should be conducted to identify similar vulnerabilities in custom applications built on the GlassFish platform. Additionally, implementing proper logging and monitoring of file access patterns can help detect exploitation attempts and provide forensic evidence for incident response activities. The vulnerability highlights the importance of secure coding practices and proper access control mechanisms in enterprise web applications, particularly those running on open source platforms that may not receive immediate security updates from vendors.