Cyber Resilience

CVE-2024-9342

Medium

Published: 16 July 2025

Published
16 July 2025
Modified
16 July 2025
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0040 60.9th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-9342 is a medium-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Eclipse Glassfish. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked in the top 39.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2024-9342 affects Eclipse GlassFish version 7.0.16 and earlier, where there is no limitation on the number of failed login attempts, enabling login brute force attacks. This vulnerability, classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts), received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its network accessibility, low complexity, and lack of prerequisites for exploitation.

Unauthenticated remote attackers can exploit this vulnerability by performing unlimited login attempts against exposed authentication endpoints, potentially guessing valid credentials through brute force if passwords are weak or predictable. Successful exploitation could grant unauthorized access to the application server, resulting in high impacts on confidentiality, integrity, and availability as per the CVSS metrics.

Mitigation details are available in the Eclipse security advisory at https://gitlab.eclipse.org/security/cve-assignement/-/issues/33, published on 2025-07-16.

EU & UK References

Vulnerability details

In Eclipse GlassFish version 7.0.16 or earlier it is possible to perform Login Brute Force attacks as there is no limitation in the number of failed login attempts.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Why these techniques?

Directly enables unlimited login attempts for password guessing on exposed auth endpoints (CWE-307).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2586Same product: Eclipse Glassfish
CVE-2026-2587Same product: Eclipse Glassfish
CVE-2026-24436Shared CWE-307
CVE-2026-32292Shared CWE-307
CVE-2026-27521Shared CWE-307
CVE-2025-36363Shared CWE-307
CVE-2025-58587Shared CWE-307
CVE-2025-55100Same vendor: Eclipse
CVE-2024-10838Same vendor: Eclipse
CVE-2026-1188Same vendor: Eclipse

Affected Assets

eclipse
glassfish
7.0.16

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-7 enforces limits on the number of consecutive unsuccessful logon attempts, directly preventing brute force attacks enabled by the absence of such restrictions in Eclipse GlassFish.

prevent

SC-5 protects against denial-of-service impacts from excessive login attempts that could exhaust resources during brute force exploitation of the vulnerable authentication endpoints.

detect

SI-4 monitors for indicators of brute force attacks through detection of anomalous patterns in failed login attempts against the GlassFish server.

References