9.4

CVSS Score

Basic Information

CVE ID

CVE-2008-5518

GHSA ID

GHSA-xm92-rf24-h74w

EPSS Score

0.94413%

CWE

CWE-22

Published

5/14/2022

Updated

3/6/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2008-5518

CVE-2008-5518: Apache Geronimo Application Server multiple directory traversal vulnerabilities

Multiple directory traversal vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 on Windows allow remote attackers to upload files to arbitrary directories via directory traversal sequences in the (1) group, (2) artifact, (3) version, or (4) fileType parameter to console/portal//Services/Repository (aka the Services/Repository portlet); the (5) createDB parameter to console/portal/Embedded DB/DB Manager (aka the Embedded DB/DB Manager portlet); or the (6) filename parameter to the createKeystore script in the Security/Keystores portlet.

(GitHub Advisory)

9.4

CVSS Score

Basic Information

CVE ID

CVE-2008-5518

GHSA ID

GHSA-xm92-rf24-h74w

EPSS Score

0.94413%

CWE

CWE-22

Published

5/14/2022

Updated

3/6/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

AV:N/AC:L/Au:N/C:C/I:C/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.geronimo.plugins:console	maven	>= 2.1.0, < 2.1.4	2.1.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing input validation for path-related parameters across multiple administration console components. The commit adds InputUtils.validateSafeInput() calls to these specific functions, indicating they previously lacked validation. Each function handles parameters explicitly listed in the CVE description (group/artifact/version/fileType for Repository, filename for Keystores, createDB for DB Manager). The direct correlation between patched functions and vulnerability parameters, combined with the directory traversal pattern checks added in validation, confirms their vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Multipl* *ir**tory tr*v*rs*l vuln*r**iliti*s in t** w** **ministr*tion *onsol* in *p**** **ronimo *ppli**tion S*rv*r *.* t*rou** *.*.* on Win*ows *llow r*mot* *tt**k*rs to uplo** *il*s to *r*itr*ry *ir**tori*s vi* *ir**tory tr*v*rs*l s*qu*n**s in t**

Reasoning

T** vuln*r**ility st*ms *rom missin* input v*li**tion *or p*t*-r*l*t** p*r*m*t*rs **ross multipl* **ministr*tion *onsol* *ompon*nts. T** *ommit ***s `InputUtils.v*li**t*S***Input()` **lls to t**s* sp**i*i* *un*tions, in*i**tin* t**y pr*viously l**k**

9.4

Basic Information

Concerned about an active attack path?

CVE-2008-5518: Apache Geronimo Application Server multiple directory traversal vulnerabilities

9.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI