CVE-2007-5797

Apache Geronimo <2.2 - Auth Bypass

Title source: llm

Description

SQLLoginModule in Apache Geronimo 2.0 through 2.1 does not throw an exception for a nonexistent username, which allows remote attackers to bypass authentication via a login attempt with any username not contained in the database.

References (8)

[Vendor Advisory] http://secunia.com/advisories/27482

[Various Sources] http://www-1.ibm.com/support/docview.wss?uid=swg21286105

[Various Sources] https://issues.apache.org/jira/browse/GERONIMO-3543

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/26287

[Third Party Advisory, VDB Entry] http://osvdb.org/38662

[Third Party Advisory] http://secunia.com/advisories/27478

[Third Party Advisory] http://www.vupen.com/english/advisories/2007/3675

[Third Party Advisory] http://www.vupen.com/english/advisories/2007/3676

Scores

EPSS 0.0076

EPSS Percentile 73.0%

Classification

CWE

CWE-287

Status draft

Affected Products (4)

apache/geronimo

Timeline

Published Nov 03, 2007

Tracked Since Feb 18, 2026