Miggo Logo

CVE-2008-5518: Apache Geronimo Application Server multiple directory traversal vulnerabilities

9.4

CVSS Score

Basic Information

EPSS Score
0.94413%
Published
5/14/2022
Updated
3/6/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:C/I:C/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.geronimo.plugins:consolemaven>= 2.1.0, < 2.1.42.1.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing input validation for path-related parameters across multiple administration console components. The commit adds InputUtils.validateSafeInput() calls to these specific functions, indicating they previously lacked validation. Each function handles parameters explicitly listed in the CVE description (group/artifact/version/fileType for Repository, filename for Keystores, createDB for DB Manager). The direct correlation between patched functions and vulnerability parameters, combined with the directory traversal pattern checks added in validation, confirms their vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Multipl* *ir**tory tr*v*rs*l vuln*r**iliti*s in t** w** **ministr*tion *onsol* in *p**** **ronimo *ppli**tion S*rv*r *.* t*rou** *.*.* on Win*ows *llow r*mot* *tt**k*rs to uplo** *il*s to *r*itr*ry *ir**tori*s vi* *ir**tory tr*v*rs*l s*qu*n**s in t**

Reasoning

T** vuln*r**ility st*ms *rom missin* input v*li**tion *or p*t*-r*l*t** p*r*m*t*rs **ross multipl* **ministr*tion *onsol* *ompon*nts. T** *ommit ***s `InputUtils.v*li**t*S***Input()` **lls to t**s* sp**i*i* *un*tions, in*i**tin* t**y pr*viously l**k**