CVE-2008-5518

Name of the Vulnerable Software and Affected Versions Apache Geronimo Application Server versions 2.1 through 2.1.3

Description The issue concerns multiple directory traversal vulnerabilities in the web administration console. These vulnerabilities allow remote attackers to upload files to arbitrary directories via directory traversal sequences in various parameters, including the group, artifact, version, or fileType parameter to the "console/portal//Services/Repository" endpoint, the createDB parameter to the "console/portal/Embedded DB/DB Manager" endpoint, or the filename parameter to the createKeystore script in the Security/Keystores portlet.

Recommendations For Apache Geronimo Application Server versions 2.1 through 2.1.3, consider restricting access to the vulnerable parameters, such as group, artifact, version, fileType, createDB, and filename, in the respective endpoints until a patch is available. As a temporary workaround, avoid using these parameters in the affected API endpoints and portlets.