{"api_version":"1","generated_at":"2026-04-22T21:37:19+00:00","cve":"CVE-2009-0039","urls":{"html":"https://cve.report/CVE-2009-0039","api":"https://cve.report/api/cve/CVE-2009-0039.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2009-0039","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2009-0039"},"summary":{"title":"CVE-2009-0039","description":"Multiple cross-site request forgery (CSRF) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to hijack the authentication of administrators for requests that (1) change the web administration password, (2) upload applications, and perform unspecified other administrative actions, as demonstrated by (3) a Shutdown request to console/portal//Server/Shutdown.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2009-04-17 14:30:00","updated_at":"2018-10-11 20:59:00"},"problem_types":["CWE-352"],"metrics":[],"references":[{"url":"http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214","name":"http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Apache Geronimo : 2.1.x Security Report","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/34715","name":"34715","refsource":"SECUNIA","tags":[],"title":"Apache Geronimo Multiple Vulnerabilities - Secunia Advisories - Vulnerability Information - Secunia.com","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/archive/1/502735/100/0/threaded","name":"20090416 [DSECRG-09-020] Apache Geronimo - XSRF vulnerabilities","refsource":"BUGTRAQ","tags":[],"title":"SecurityFocus","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://issues.apache.org/jira/browse/GERONIMO-4597","name":"http://issues.apache.org/jira/browse/GERONIMO-4597","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"[GERONIMO-4597] Validate Web Admin Console input - address admin console security vulnerabilities - ASF JIRA","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.vupen.com/english/advisories/2009/1089","name":"ADV-2009-1089","refsource":"VUPEN","tags":[],"title":"Webmail : Solution de messagerie professionnelle - OVHcloud- OVH","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/34562","name":"34562","refsource":"BID","tags":["Exploit"],"title":"504 Gateway Time-out","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://dsecrg.com/pages/vul/show.php?id=120","name":"http://dsecrg.com/pages/vul/show.php?id=120","refsource":"MISC","tags":[],"title":"Digital Security Research Group - [DSECRG-09-020] Apache Geronimo - Multiple  XSRF vulnerabilities","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2009-0039","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2009-0039","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2009","cve_id":"39","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"geronimo","cpe6":"2.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2009","cve_id":"39","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"geronimo","cpe6":"2.1.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2009","cve_id":"39","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"geronimo","cpe6":"2.1.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2009","cve_id":"39","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"geronimo","cpe6":"2.1.3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2009","cve_id":"39","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"geronimo","cpe6":"2.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2009","cve_id":"39","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"geronimo","cpe6":"2.1.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2009","cve_id":"39","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"geronimo","cpe6":"2.1.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2009","cve_id":"39","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"geronimo","cpe6":"2.1.3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"secalert@redhat.com","ID":"CVE-2009-0039","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Multiple cross-site request forgery (CSRF) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to hijack the authentication of administrators for requests that (1) change the web administration password, (2) upload applications, and perform unspecified other administrative actions, as demonstrated by (3) a Shutdown request to console/portal//Server/Shutdown."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214","refsource":"CONFIRM","url":"http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214"},{"name":"ADV-2009-1089","refsource":"VUPEN","url":"http://www.vupen.com/english/advisories/2009/1089"},{"name":"34562","refsource":"BID","url":"http://www.securityfocus.com/bid/34562"},{"name":"http://issues.apache.org/jira/browse/GERONIMO-4597","refsource":"CONFIRM","url":"http://issues.apache.org/jira/browse/GERONIMO-4597"},{"name":"34715","refsource":"SECUNIA","url":"http://secunia.com/advisories/34715"},{"name":"20090416 [DSECRG-09-020] Apache Geronimo - XSRF vulnerabilities","refsource":"BUGTRAQ","url":"http://www.securityfocus.com/archive/1/502735/100/0/threaded"},{"name":"http://dsecrg.com/pages/vul/show.php?id=120","refsource":"MISC","url":"http://dsecrg.com/pages/vul/show.php?id=120"}]}},"nvd":{"publishedDate":"2009-04-17 14:30:00","lastModifiedDate":"2018-10-11 20:59:00","problem_types":["CWE-352"],"metrics":{"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:geronimo:2.1.2:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:geronimo:2.1.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:geronimo:2.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:geronimo:2.1.3:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2009","CveId":"39","Ordinal":"35558","Title":"CVE-2009-0039","CVE":"CVE-2009-0039","Year":"2009"},"notes":[{"CveYear":"2009","CveId":"39","Ordinal":"1","NoteData":"Multiple cross-site request forgery (CSRF) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to hijack the authentication of administrators for requests that (1) change the web administration password, (2) upload applications, and perform unspecified other administrative actions, as demonstrated by (3) a Shutdown request to console/portal//Server/Shutdown.","Type":"Description","Title":null},{"CveYear":"2009","CveId":"39","Ordinal":"2","NoteData":"2009-04-17","Type":"Other","Title":"Published"},{"CveYear":"2009","CveId":"39","Ordinal":"3","NoteData":"2018-10-11","Type":"Other","Title":"Modified"}]}}}