Vulnerabilities > CVE-2011-0807

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

oracle

sun

nessus

exploit available

metasploit

NVD

Published: 2011-04-20

Updated: 2024-11-21

Summary

Unspecified vulnerability in Oracle Sun GlassFish Enterprise Server 2.1, 2.1.1, and 3.0.1, and Sun Java System Application Server 9.1, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Administration.

Vulnerable Configurations

Part	Description	Count
Application	Oracle Oracle Glassfish Server 2.1 Oracle Glassfish Server 2.1.1 Oracle Glassfish Server 3.0.1	3
Application	Sun SUN Java System Application Server 9.1	1

Exploit-Db

description	Sun/Oracle GlassFish Server Authenticated Code Execution. CVE-2011-0807. Webapps exploit for jsp platform
id	EDB-ID:17615
last seen	2016-02-02
modified	2011-08-05
published	2011-08-05
reporter	metasploit
source	https://www.exploit-db.com/download/17615/
title	Sun/Oracle GlassFish Server Authenticated Code Execution

Metasploit

description	This module attempts to login to GlassFish instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. It will also try to do an authentication bypass against older versions of GlassFish. Note: by default, GlassFish 4.0 requires HTTPS, which means you must set the SSL option to true, and SSLVersion to TLS1. It also needs Secure Admin to access the DAS remotely.
id	MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_LOGIN
last seen	2020-03-11
modified	2019-06-27
published	2013-08-30
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0807
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/glassfish_login.rb
title	GlassFish Brute Force Utility

description	This module logs in to a GlassFish Server (Open Source or Commercial) using various methods (such as authentication bypass, default credentials, or user-supplied login), and deploys a malicious war file in order to get remote code execution. It has been tested on Glassfish 2.x, 3.0, 4.0 and Sun Java System Application Server 9.x. Newer GlassFish versions do not allow remote access (Secure Admin) by default, but is required for exploitation.
id	MSF:EXPLOIT/MULTI/HTTP/GLASSFISH_DEPLOYER
last seen	2020-03-15
modified	2018-08-07
published	2013-10-15
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0807
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/glassfish_deployer.rb
title	Sun/Oracle GlassFish Server Authenticated Code Execution

Nessus

NASL family	CGI abuses
NASL id	GLASSFISH_GET_AUTH_BYPASS.NASL
description	The version of GlassFish Server running on the remote host has an authentication bypass vulnerability. The server fails to enforce authentication on HTTP requests that contain lower case method names (e.g.
last seen	2020-04-30
modified	2011-08-17
plugin id	55931
published	2011-08-17
reporter	This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/55931
title	Oracle GlassFish Server Administration Console GET Request Authentication Bypass

Packetstorm

data source	https://packetstormsecurity.com/files/download/103714/glassfish_deployer.rb.txt
id	PACKETSTORM:103714
last seen	2016-12-05
published	2011-08-04
reporter	Joshua D. Abraham
source	https://packetstormsecurity.com/files/103714/Sun-Oracle-GlassFish-Server-Authenticated-Code-Execution.html
title	Sun/Oracle GlassFish Server Authenticated Code Execution

Vulnerabilities > CVE-2011-0807 {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"CVE-2011-0807"}]}

Summary

Vulnerable Configurations

Exploit-Db

Metasploit

Nessus

Packetstorm

References

Vulnerabilities > CVE-2011-0807