CVE-2007-4548
Summary
| CVE | CVE-2007-4548 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2007-08-27 23:17:00 UTC |
| Updated | 2008-09-05 21:28:00 UTC |
| Description | The login method in LoginModule implementations in Apache Geronimo 2.0 does not throw FailedLoginException for failed logins, which allows remote attackers to bypass authentication requirements, deploy arbitrary modules, and gain administrative access by sending a blank username and password with the command line deployer in the deployment module. |
Risk And Classification
Problem Types: CWE-287
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Apache Geronimo v2.0 - Release delayed due to security issue : Apache Geronimo | CONFIRM | geronimo.apache.org | |
| [GERONIMO-3404] Using a Null Username allows access to a running 2.0 server - ASF JIRA | CONFIRM | issues.apache.org | Patch |
| [GERONIMO-1201] All our login modules implement login() incorrectly - ASF JIRA | MISC | issues.apache.org | |
| Apache Geronimo 2.0.1 - Released : Apache Geronimo | MISC | geronimo.apache.org | |
| Nabble - Apache Geronimo - Dev - Geronimo 2.0 Release suspended due to security issue found before release | MLIST | www.nabble.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.