Donald Woods

**Name of the Vulnerable Software and Affected Versions** Apache Geronimo version 2.0 **Description** The issue concerns the login method in LoginModule implementations, which does not properly handle failed logins by not throwing a FailedLoginException. This allows remote attackers to bypass authentication requirements. Attackers can exploit this by sending a blank username and password, potentially allowing them to deploy arbitrary modules and gain administrative access. **Recommendations** For Apache Geronimo version 2.0, consider implementing a custom LoginModule that correctly throws a FailedLoginException for failed logins as a temporary workaround. Restrict access to the deployment module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.