GlassFish Security Fixes Summary
| Vulnerability | Summary | Severity | Versions affected | Fixed in version |
|---|---|---|---|---|
| CVE-2024-9342 | Eclipse GlassFish is vulnerable to Login Brute Force attacks through unlimited failed login attempts | 6.3 MEDIUM | 7.0.16 - 7.0.25 | 8.0.3, 7.0.26 |
| CVE-2026-54512 | jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation | 8.1 HIGH | 7.0.16 - 7.0.25, 7.1.0, 8.0.0 - 8.0.2 | 8.0.3, 7.1.1, 7.0.26 |
| CVE-2026-54513 | jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray) | 8.1 HIGH | 7.0.16 - 7.0.25, 7.1.0, 8.0.0 - 8.0.2 | 8.0.3, 7.1.1, 7.0.26 |
| CVE-2026-54514 | jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF) | 5.3 MEDIUM | 7.0.16 - 7.0.25, 7.1.0, 8.0.0 - 8.0.2 | 8.0.3, 7.1.1, 7.0.26 |
| CVE-2026-54516 | jackson-databind's renamed @JsonIgnore'd setters can deserialize via private fields | 5.3 MEDIUM | 8.0.0 - 8.0.2 | 8.0.3 |
| CVE-2026-54517 | jackson-databind has @JsonView bypass for setterless creator properties | 5.3 MEDIUM | 8.0.0 - 8.0.2 | 8.0.3 |
| CVE-2026-54518 | jackson-databind has a @JsonView bypass for unwrapped creator parameters | 6.5 MEDIUM | 8.0.0 - 8.0.2 | 8.0.3 |
| CVE-2026-24457 | 9.8 CRITICAL - An unsafe parsing of OpenMQ's configuration, allows to read arbitrary files from a MQ Broker's server | 9.8 CRITICAL | < 8.0.2 | 8.0.2 |
| CVE-2026-2586 | GlassFish's Administration Console is Vulnerable to RCE | 9.1 CRITICAL | 7.0.16 - 8.0.1 | 8.0.2, 7.1.1, 7.0.26 |
| CVE-2026-2587 | GlassFish's gadget handler is vulnerable to RCE | 9.6 CRITICAL | 7.0.16 - 8.0.1 | 8.0.2, 7.1.1, 7.0.26 |
| CVE-2020-27511 | HIGH, 7.5 - Upgrade Woodstock to 6.0.3 with a security fix for prototype | 7.5 HIGH | < 8.0.0 | 8.0.0, 7.1.1, 7.0.26 |
| CVE-2020-5258 | HIGH, 7.7 - Upgrade dojo.js to 1.16.5 | 7.7 HIGH | < 8.0.0 | 8.0.0, 7.1.0, 7.0.26 |
| CVE-2024-10029 | Eclipse GlassFish is vulnerable to Reflected XSS attacks through its Administration Console | 4.5 MEDIUM | 7.0.16 - 7.0.25 | 7.0.26 |
| CVE-2024-10031 | Eclipse GlassFish is vulnerable to Stored XSS attacks through configuration file modifications | 5.8 MEDIUM | 7.0.16 - 7.0.25 | 7.0.26 |
| CVE-2024-10032 | Eclipse GlassFish is vulnerable to Stored XSS attacks through its Administration Console | 6.1 MEDIUM | 7.0.16 - 7.0.25 | 7.0.26 |
| CVE-2024-9343 | Eclipse GlassFish is vulnerable to Stored XSS attacks through its Administration Console | 6.1 MEDIUM | 7.0.16 - 7.0.25 | 7.0.26 |
| CVE-2025-12383 | Eclipse Jersey has a Race Condition | 9.4 CRITICAL | 7.0.20 - 7.0.21 | 7.0.22 |
| CVE-2024-9329 | Eclipse Glassfish improperly handles http parameters | 6.9 MEDIUM | 7.0.16 | 7.0.17 |
| CVE-2023-41080 | Avoid protocol relative redirects in | 6.1 MEDIUM | < 7.0.10 | 7.0.10 |
| CVE-2022-46337 | GlassFish not affected because bundled Derby DB does not authenticate database users via LDAP | 9.8 CRITICAL | Not impacted |