CVE-2009-0039

Apache Geronimo Application Server 2.1-2.1.3 - CSRF

Title source: llm

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to hijack the authentication of administrators for requests that (1) change the web administration password, (2) upload applications, and perform unspecified other administrative actions, as demonstrated by (3) a Shutdown request to console/portal//Server/Shutdown.

Exploits (1)

exploitdb WORKING POC VERIFIED

by DSecRG · htmlremotemultiple

https://www.exploit-db.com/exploits/32922

View Code ZIP pw:eip

References (7)

[Various Sources] http://dsecrg.com/pages/vul/show.php?id=120

[Vendor Advisory] http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214

[Vendor Advisory] http://issues.apache.org/jira/browse/GERONIMO-4597

[Exploit] http://www.securityfocus.com/bid/34562

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/502735/100/0/threaded

[Third Party Advisory] http://secunia.com/advisories/34715

[Third Party Advisory] http://www.vupen.com/english/advisories/2009/1089

Scores

EPSS 0.0601

EPSS Percentile 90.5%

Classification

CWE

CWE-352

Status draft

Affected Products (5)

apache/geronimo

apache/geronimo

apache/geronimo

apache/geronimo

org.apache.geronimo.plugins/console < 2.1.4Maven

Timeline

Published Apr 17, 2009

Tracked Since Feb 18, 2026