Lucene search

[email protected]CVE-2007-4548

HistoryAug 27, 2007 - 11:17 p.m.

CVE-2007-4548

2007-08-2723:17:00

CWE-287

[email protected]

web.nvd.nist.gov

apache geronimo

loginmodule

failedloginexception

cve-2007-4548

authentication bypass

remote attack

7.7 High

AI Score

Confidence

Low

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.006 Low

EPSS

Percentile

79.2%

JSON

The login method in LoginModule implementations in Apache Geronimo 2.0 does not throw FailedLoginException for failed logins, which allows remote attackers to bypass authentication requirements, deploy arbitrary modules, and gain administrative access by sending a blank username and password with the command line deployer in the deployment module.

CPENameOperatorVersion
apache:geronimoapache geronimoeq2.0

CPE	Name	Operator	Version
apache:geronimo	apache geronimo	eq	2.0

References

geronimo.apache.org/2007/08/13/apache-geronimo-v20-release-delayed-due-to-security-issue.html

geronimo.apache.org/2007/08/21/apache-geronimo-201-released.html

www.nabble.com/Geronimo-2.0-Release-suspended-due-to-security-issue-found-before-release-t4263667s134.html

issues.apache.org/jira/browse/GERONIMO-1201

issues.apache.org/jira/browse/GERONIMO-3404

7.7 High

AI Score

Confidence

Low

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.006 Low

EPSS

Percentile

79.2%

JSON

Related for CVE-2007-4548

prion1 veracode1 ibm1