CVE-2011-5034

Apache Geronimo < 2.2.1 - Denial of Service via Predictable Hash Collisions

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2011-5034. PoCs published by Alexander Klink, Julian Waelde, Scott A. Crosby, Dan S. Wallach, Krzysztof Kotowicz, Christian Mehlmauer, including Metasploit module auxiliary/dos/http/hashcollision_dos.

AI-analyzed exploit summary This Metasploit module exploits a denial-of-service vulnerability in PHP and Java by generating a large number of colliding hash values in POST parameters, causing excessive CPU consumption. It includes payload generation for both PHP and Java hash functions and sends multiple HTTP requests to the target.

Description

Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.

Exploits (2)

metasploit WORKING POC
by Alexander Klink, Julian Waelde, Scott A. Crosby, Dan S. Wallach, Krzysztof Kotowicz, Christian Mehlmauer · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/http/hashcollision_dos.rb

This Metasploit module exploits a denial-of-service vulnerability in PHP and Java by generating a large number of colliding hash values in POST parameters, causing excessive CPU consumption. It includes payload generation for both PHP and Java hash functions and sends multiple HTTP requests to the target.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: PHP and Java-based web servers (e.g., Apache with PHP, Tomcat, Glassfish, Geronimo)
No auth needed
Prerequisites: Network access to the target web server
devstral-2 · analyzed Jun 05, 2026 Full analysis →
exploitdb WORKING POC
phpwebappsphp
https://www.exploit-db.com/exploits/2012

This exploit demonstrates a SQL injection vulnerability in MyBulletinBoard (MyBB) <= 1.1.5 via the CLIENT-IP HTTP header, allowing an attacker to retrieve the admin login key and create a new admin user. The exploit uses blind SQL injection to extract the login key and then crafts an admin cookie to add a new admin user.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: MyBulletinBoard (MyBB) <= 1.1.5
No auth needed
Prerequisites: Network access to the target MyBB installation
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (17)

Core 17
Core References
Various Sources x_refsource_misc
http://www.nruns.com/_downloads/advisory28122011.pdf
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/47412
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/903934
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html
Various Sources x_refsource_misc
http://www.ocert.org/advisories/ocert-2011-003.html

Scores

EPSS 0.7334
EPSS Percentile 98.8%

Details

CWE
CWE-20
Status published
Products (18)
apache/geronimo 1.0
apache/geronimo 1.1
apache/geronimo 1.1.1
apache/geronimo 1.2
apache/geronimo 2.0.1
apache/geronimo 2.0.2
apache/geronimo 2.1
apache/geronimo 2.1.1
apache/geronimo 2.1.2
apache/geronimo 2.1.3
... and 8 more
Published Dec 30, 2011
Tracked Since Feb 18, 2026