CVE-2009-0039

Apache Geronimo Application Server 2.1-2.1.3 - CSRF

Title source: llm

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to hijack the authentication of administrators for requests that (1) change the web administration password, (2) upload applications, and perform unspecified other administrative actions, as demonstrated by (3) a Shutdown request to console/portal//Server/Shutdown.

Exploits (1)

exploitdb WORKING POC VERIFIED

by DSecRG · htmlremotemultiple

https://www.exploit-db.com/exploits/32922

View Code ZIP pw:eip

References (7)

[Various Sources] http://dsecrg.com/pages/vul/show.php?id=120

[Vendor Advisory] http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214

[Vendor Advisory] http://issues.apache.org/jira/browse/GERONIMO-4597

[Exploit] http://www.securityfocus.com/bid/34562

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/502735/100/0/threaded

[Third Party Advisory] http://secunia.com/advisories/34715

[Third Party Advisory] http://www.vupen.com/english/advisories/2009/1089

Scores

EPSS 0.0382

EPSS Percentile 88.2%

Details

CWE

CWE-352

Status published

Products (5)

apache/geronimo 2.1

apache/geronimo 2.1.1

apache/geronimo 2.1.2

apache/geronimo 2.1.3

org.apache.geronimo.plugins/console 0 - 2.1.4Maven

Published Apr 17, 2009

Tracked Since Feb 18, 2026