CVE-2018-14324 — CRITICAL (9.8)

Vulnerability Description

The demo feature in Oracle GlassFish Open Source Edition 5.0 has TCP port 7676 open by default with a password of admin for the admin account. This allows remote attackers to obtain potentially sensitive information, perform database operations, or manipulate the demo via a JMX RMI session, aka a "jmx_rmi remote monitoring and control problem." NOTE: this is not an Oracle supported product.

CVSS Score

9.8

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Oracle	Glassfish Server	5.0

Related Weaknesses (CWE)

CWE-798

References

http://www.securitytracker.com/id/1041292Third Party AdvisoryVDB Entry
https://github.com/eclipse-ee4j/glassfish/issues/22500
http://www.securitytracker.com/id/1041292Third Party AdvisoryVDB Entry
https://github.com/eclipse-ee4j/glassfish/issues/22500

FAQ

What is CVE-2018-14324?

CVE-2018-14324 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The demo feature in Oracle GlassFish Open Source Edition 5.0 has TCP port 7676 open by default with a password of admin for the admin account. This allows remote attackers to obtain potentially sensit...

How severe is CVE-2018-14324?

CVE-2018-14324 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2018-14324?

Check the references section above for vendor advisories and patch information. Affected products include: Oracle Glassfish Server.