CVE-2022-2712 in GlassFish
Summary
by MITRE • 01/27/2023
In Eclipse GlassFish versions 5.1.0 to 6.2.5, there is a vulnerability in relative path traversal because it does not filter request path starting with './'. Successful exploitation could allow an remote unauthenticated attacker to access critical data, such as configuration files and deployed application source code.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/02/2025
The vulnerability identified as CVE-2022-2712 affects Eclipse GlassFish application servers running versions 5.1.0 through 6.2.5, representing a critical path traversal flaw that stems from inadequate input validation in the server's request handling mechanisms. This weakness specifically manifests when the application server processes requests containing path components that begin with './' sequences, which should normally be filtered or normalized to prevent unauthorized access to the underlying file system. The vulnerability resides in the server's interpretation of relative paths, where it fails to properly sanitize or reject malicious path traversal attempts that exploit the relative path resolution behavior of the underlying operating system. This flaw allows attackers to bypass normal access controls and potentially gain access to sensitive server resources, including configuration files, application source code, and other critical system data that should remain protected from external access.
The technical implementation of this vulnerability leverages the fundamental behavior of file system path resolution where './' sequences are interpreted as the current directory reference in Unix-like systems and Windows environments. When GlassFish processes incoming HTTP requests containing such path sequences, the server fails to properly canonicalize or validate the request paths before attempting to resolve them against the file system. This inadequate filtering mechanism enables attackers to craft malicious requests that traverse directories beyond the intended application boundaries, effectively allowing access to arbitrary files on the server's file system. The vulnerability is particularly dangerous because it operates without requiring authentication, making it accessible to any remote attacker who can send HTTP requests to the vulnerable GlassFish server. This characteristic aligns with attack patterns described in the ATT&CK framework under the T1071.004 technique for application layer protocol traffic, where attackers exploit application vulnerabilities to gain unauthorized access to system resources.
The operational impact of CVE-2022-2712 extends far beyond simple data exposure, as successful exploitation can lead to complete system compromise through the access of configuration files that may contain database credentials, encryption keys, and other sensitive authentication materials. Attackers could potentially extract deployed application source code, which might reveal implementation details, business logic, and other intellectual property that could be exploited for further attacks or sold on the black market. The vulnerability also poses risks to application availability and integrity, as attackers could potentially modify or delete critical files, leading to service disruption or data corruption. Organizations running affected GlassFish versions face significant risk exposure, particularly those with public-facing web applications or those that do not maintain strict network segmentation between their application servers and external networks. This vulnerability directly maps to CWE-22, which describes improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal attacks, and represents a well-established pattern of security flaws in web application servers.
Mitigation strategies for CVE-2022-2712 should focus on immediate patching of affected GlassFish versions, with administrators upgrading to versions 6.2.6 or later where this vulnerability has been addressed through proper input validation and path sanitization. Organizations should implement network-level protections such as firewalls and web application firewalls to restrict access to GlassFish servers and monitor for suspicious path traversal patterns in application logs. The implementation of proper input validation at the application level, including the use of allowlists for acceptable path components and strict normalization of all incoming request paths, provides additional defense-in-depth measures. Security teams should conduct comprehensive audits of all GlassFish installations to identify and remediate any instances of the vulnerable versions, while also implementing monitoring for anomalous file access patterns that might indicate exploitation attempts. Regular security assessments and vulnerability scanning should be performed to ensure that no other similar path traversal vulnerabilities exist within the application server environment, with particular attention to the server's handling of relative paths and directory resolution mechanisms. Organizations should also consider implementing automated security controls that can detect and block requests containing suspicious path sequences before they reach the application server, providing an additional layer of protection against this and similar vulnerabilities.