CVE-2009-0039 - OpenCVE

Multiple cross-site request forgery (CSRF) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to hijack the authentication of administrators for requests that (1) change the web administration password, (2) upload applications, and perform unspecified other administrative actions, as demonstrated by (3) a Shutdown request to console/portal//Server/Shutdown.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Geronimo

Configuration 1 [-]

OR	cpe:2.3:a:apache:geronimo:2.1:::::::*
	cpe:2.3:a:apache:geronimo:2.1.1:::::::*
	cpe:2.3:a:apache:geronimo:2.1.2:::::::*
	cpe:2.3:a:apache:geronimo:2.1.3:::::::*

No data.

References

Link	Providers
http://dsecrg.com/pages/vul/show.php?id=120
http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214
http://issues.apache.org/jira/browse/GERONIMO-4597
http://secunia.com/advisories/34715
http://www.securityfocus.com/archive/1/502735/100/0/threaded
http://www.securityfocus.com/bid/34562
http://www.vupen.com/english/advisories/2009/1089

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2009-04-17T14:00:00

Updated: 2024-08-07T04:17:10.473Z

Reserved: 2008-12-15T00:00:00

Link: CVE-2009-0039

Vulnrichment

No data.

NVD

Status : Modified

Published: 2009-04-17T14:30:00.547

Modified: 2018-10-11T20:59:19.620

Link: CVE-2009-0039

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-04-16T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to hijack the authentication of administrators for requests that (1) change the web administration password, (2) upload applications, and perform unspecified other administrative actions, as demonstrated by (3) a Shutdown request to console/portal//Server/Shutdown."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-11T19:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214"}, {"name": "ADV-2009-1089", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2009/1089"}, {"name": "34562", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/34562"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://issues.apache.org/jira/browse/GERONIMO-4597"}, {"name": "34715", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/34715"}, {"name": "20090416 [DSECRG-09-020] Apache Geronimo - XSRF vulnerabilities", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/502735/100/0/threaded"}, {"tags": ["x_refsource_MISC"], "url": "http://dsecrg.com/pages/vul/show.php?id=120"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2009-0039", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to hijack the authentication of administrators for requests that (1) change the web administration password, (2) upload applications, and perform unspecified other administrative actions, as demonstrated by (3) a Shutdown request to console/portal//Server/Shutdown."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214", "refsource": "CONFIRM", "url": "http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214"}, {"name": "ADV-2009-1089", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2009/1089"}, {"name": "34562", "refsource": "BID", "url": "http://www.securityfocus.com/bid/34562"}, {"name": "http://issues.apache.org/jira/browse/GERONIMO-4597", "refsource": "CONFIRM", "url": "http://issues.apache.org/jira/browse/GERONIMO-4597"}, {"name": "34715", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/34715"}, {"name": "20090416 [DSECRG-09-020] Apache Geronimo - XSRF vulnerabilities", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/502735/100/0/threaded"}, {"name": "http://dsecrg.com/pages/vul/show.php?id=120", "refsource": "MISC", "url": "http://dsecrg.com/pages/vul/show.php?id=120"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T04:17:10.473Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214"}, {"name": "ADV-2009-1089", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2009/1089"}, {"name": "34562", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/34562"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://issues.apache.org/jira/browse/GERONIMO-4597"}, {"name": "34715", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/34715"}, {"name": "20090416 [DSECRG-09-020] Apache Geronimo - XSRF vulnerabilities", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/502735/100/0/threaded"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://dsecrg.com/pages/vul/show.php?id=120"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2009-0039", "datePublished": "2009-04-17T14:00:00", "dateReserved": "2008-12-15T00:00:00", "dateUpdated": "2024-08-07T04:17:10.473Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:geronimo:2.1:*:*:*:*:*:*:*", "matchCriteriaId": "ECF8E5A6-BCAA-428E-A703-6D1508AE2DA0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:geronimo:2.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "7353F7C5-18E8-4310-B31E-9B13963E3F18", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:geronimo:2.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "73F4CBB7-FF16-4B01-85B2-5B3FE7C8BE3D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:geronimo:2.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "366DB1DC-39E2-43A1-9A23-37B7A75F7D07", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 allow remote attackers to hijack the authentication of administrators for requests that (1) change the web administration password, (2) upload applications, and perform unspecified other administrative actions, as demonstrated by (3) a Shutdown request to console/portal//Server/Shutdown."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en la consola de administraci\u00f3n web en Apache Geronimo Application Server 2.1 a 2.1.3 permite a atacantes remotos realizar acciones no autorizadas como administradores para peticiones que (1) cambian la contrase\u00f1a de administraci\u00f3n de la web, (2) suben aplicaciones y realizan otras acciones de administraci\u00f3n no especificadas como es demuestrado por (3) una petici\u00f3n de apagado a console/portal//Server/Shutdown."}], "id": "CVE-2009-0039", "lastModified": "2018-10-11T20:59:19.620", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2009-04-17T14:30:00.547", "references": [{"source": "secalert@redhat.com", "url": "http://dsecrg.com/pages/vul/show.php?id=120"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://issues.apache.org/jira/browse/GERONIMO-4597"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/34715"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/archive/1/502735/100/0/threaded"}, {"source": "secalert@redhat.com", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/34562"}, {"source": "secalert@redhat.com", "url": "http://www.vupen.com/english/advisories/2009/1089"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}