Authentication Bypass Vulnerability in Apache Geronimo by Missing Exception Handling
CVE-2007-5797

Currently unrated

Key Information:

Vendor: Apache
Status: Geronimo
Vendor: CVE Published:; 3 November 2007

Summary

A vulnerability in the SQLLoginModule of Apache Geronimo versions 2.0 to 2.1 allows remote attackers to exploit the absence of exceptions thrown for nonexistent usernames. This flaw enables unauthorized access by permitting login attempts with any arbitrary username that is not registered in the database. The issue highlights insufficient authentication mechanisms that can be leveraged to bypass security controls.

References

http://www.vupen.com/english/advisories/2007/3676

vdb-entryx_refsource_VUPEN

http://osvdb.org/38662

vdb-entryx_refsource_OSVDB

http://www-1.ibm.com/support/docview.wss?uid=swg21286105

x_refsource_CONFIRM

Timeline

Vulnerability published
Nov 3, 2007
Vulnerability Reserved
Nov 2, 2007