Vulnerability Description
The login method in LoginModule implementations in Apache Geronimo 2.0 does not throw FailedLoginException for failed logins, which allows remote attackers to bypass authentication requirements, deploy arbitrary modules, and gain administrative access by sending a blank username and password with the command line deployer in the deployment module.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Geronimo | 2.0 |
Related Weaknesses (CWE)
References
- http://geronimo.apache.org/2007/08/13/apache-geronimo-v20-release-delayed-due-to
- http://geronimo.apache.org/2007/08/21/apache-geronimo-201-released.html
- http://www.nabble.com/Geronimo-2.0-Release-suspended-due-to-security-issue-found
- https://issues.apache.org/jira/browse/GERONIMO-1201
- https://issues.apache.org/jira/browse/GERONIMO-3404Patch
- http://geronimo.apache.org/2007/08/13/apache-geronimo-v20-release-delayed-due-to
- http://geronimo.apache.org/2007/08/21/apache-geronimo-201-released.html
- http://www.nabble.com/Geronimo-2.0-Release-suspended-due-to-security-issue-found
- https://issues.apache.org/jira/browse/GERONIMO-1201
- https://issues.apache.org/jira/browse/GERONIMO-3404Patch
FAQ
What is CVE-2007-4548?
CVE-2007-4548 is a vulnerability with a CVSS score of 10.0 (HIGH). The login method in LoginModule implementations in Apache Geronimo 2.0 does not throw FailedLoginException for failed logins, which allows remote attackers to bypass authentication requirements, deplo...
How severe is CVE-2007-4548?
CVE-2007-4548 has been rated HIGH with a CVSS base score of 10.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2007-4548?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Geronimo.