Vulnerability CVE-2007-4548


Published: 2007-08-27   Modified: 2012-02-12

Description:
The login method in LoginModule implementations in Apache Geronimo 2.0 does not throw FailedLoginException for failed logins, which allows remote attackers to bypass authentication requirements, deploy arbitrary modules, and gain administrative access by sending a blank username and password with the command line deployer in the deployment module.

Type:

CWE-287

(Improper Authentication)

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
Apache -> Geronimo 

 References:
https://issues.apache.org/jira/browse/GERONIMO-3404
https://issues.apache.org/jira/browse/GERONIMO-1201
http://www.nabble.com/Geronimo-2.0-Release-suspended-due-to-security-issue-found-before-release-t4263667s134.html
http://geronimo.apache.org/2007/08/21/apache-geronimo-201-released.html
http://geronimo.apache.org/2007/08/13/apache-geronimo-v20-release-delayed-due-to-security-issue.html

Copyright 2020, cxsecurity.com

 

Back to Top