CVE-2017-1000028

EPSS 99.5%

Vexday Risk Score

60Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS —EPSS 99.5%KEV nãoPoC públicaNuclei simMetasploit simPatch —

Lifecycle

08 Aug 2015Metasploit module available

27 Aug 2015Public PoC

13 Jul 2017Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request.

Affected products

n/a · n/a

public PoCs found — 6

githubgithub.com/NeonNOXX/CVE-2017-1000028★ 1 cve_referencewww.exploit-db.com/exploits/45196/unverified cve_referencewww.exploit-db.com/exploits/45198/unverified exploitdbwww.exploit-db.com/exploits/45198unverified exploitdbwww.exploit-db.com/exploits/39441unverified exploitdbwww.exploit-db.com/exploits/45196unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.exploit-db.com/exploits/45196/https://www.exploit-db.com/exploits/45198/https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904