CVE-2007-4548
Apache Geronimo 2.0 - Improper Authentication via Blank Credentials Bypass
Title source: llmDescription
The login method in LoginModule implementations in Apache Geronimo 2.0 does not throw FailedLoginException for failed logins, which allows remote attackers to bypass authentication requirements, deploy arbitrary modules, and gain administrative access by sending a blank username and password with the command line deployer in the deployment module.
References (5)
Core 5
Core References
Various Sources x_refsource_confirm
http://geronimo.apache.org/2007/08/13/apache-geronimo-v20-release-delayed-due-to-security-issue.html
Patch x_refsource_confirm
https://issues.apache.org/jira/browse/GERONIMO-3404
Various Sources x_refsource_misc
http://geronimo.apache.org/2007/08/21/apache-geronimo-201-released.html
Various Sources mailing-list
x_refsource_mlist
http://www.nabble.com/Geronimo-2.0-Release-suspended-due-to-security-issue-found-before-release-t4263667s134.html
Various Sources x_refsource_misc
https://issues.apache.org/jira/browse/GERONIMO-1201
Scores
EPSS
0.0419
EPSS Percentile
89.7%
Details
CWE
CWE-287
Status
published
Products (1)
apache/geronimo
2.0
Published
Aug 27, 2007
Tracked Since
Feb 18, 2026