CVE-2008-5518

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Multiple directory traversal vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 on Windows allow remote attackers to upload files to arbitrary directories via directory traversal sequences in the (1) group, (2) artifact, (3) version, or (4) fileType parameter to console/portal//Services/Repository (aka the Services/Repository portlet); the (5) createDB parameter to console/portal/Embedded DB/DB Manager (aka the Embedded DB/DB Manager portlet); or the (6) filename parameter to the createKeystore script in the Security/Keystores portlet.

References

http://dsecrg.com/pages/vul/show.php?id=118

http://geronimo.apache.org/21x-security-report.html#2.1.xSecurityReport-214

http://issues.apache.org/jira/browse/GERONIMO-4597

http://secunia.com/advisories/34715

http://www.securityfocus.com/archive/1/502733/100/0/threaded

http://www.securityfocus.com/bid/34562

http://www.vupen.com/english/advisories/2009/1089

https://exchange.xforce.ibmcloud.com/vulnerabilities/49898

https://exchange.xforce.ibmcloud.com/vulnerabilities/49899

https://exchange.xforce.ibmcloud.com/vulnerabilities/49900

https://www.exploit-db.com/exploits/8458

Details

Source: MITRE

Published: 2009-04-17

Updated: 2018-10-11

Type: CWE-22

Risk Information

CVSS v2

Base Score: 9.4

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:N

Impact Score: 9.2

Exploitability Score: 10

Severity: HIGH

Tenable Plugins

View all (3 total)

IDNameProductFamilySeverity
52690SuSE 11 Security Update : Websphere Community Edition (SAT Patch Number 1016)NessusSuSE Local Security Checks
high
41597SuSE 10 Security Update : Websphere Community Edition (ZYPP Patch Number 6312)NessusSuSE Local Security Checks
high
41458SuSE 11 Security Update : Websphere Community Edition (SAT Patch Number 1016)NessusSuSE Local Security Checks
high