CVE-2007-4548

Apache Geronimo 2.0 - Auth Bypass

Title source: llm

Description

The login method in LoginModule implementations in Apache Geronimo 2.0 does not throw FailedLoginException for failed logins, which allows remote attackers to bypass authentication requirements, deploy arbitrary modules, and gain administrative access by sending a blank username and password with the command line deployer in the deployment module.

References (5)

[Patch] https://issues.apache.org/jira/browse/GERONIMO-3404

[Various Sources] http://geronimo.apache.org/2007/08/13/apache-geronimo-v20-release-delayed-due-to-security-issue.html

[Various Sources] http://geronimo.apache.org/2007/08/21/apache-geronimo-201-released.html

[Various Sources] http://www.nabble.com/Geronimo-2.0-Release-suspended-due-to-security-issue-found-before-release-t4263667s134.html

[Various Sources] https://issues.apache.org/jira/browse/GERONIMO-1201

Scores

EPSS 0.0081

EPSS Percentile 73.9%

Classification

CWE

CWE-287

Status draft

Affected Products (1)

apache/geronimo

Timeline

Published Aug 27, 2007

Tracked Since Feb 18, 2026