Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00NjN3LWh4ZnYtZzlmNs4AAv4r
Apache Archiva vulnerable to Sensitive Information Disclosure via anonymous user
Apache Archiva prior to 2.2.9 may allow the anonymous user to read arbitrary files. If anonymous read enabled, it's possible to read the database file directly without logging in.
Permalink: https://github.com/advisories/GHSA-463w-hxfv-g9f6JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00NjN3LWh4ZnYtZzlmNs4AAv4r
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-463w-hxfv-g9f6, CVE-2022-40308
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-40308
- https://lists.apache.org/thread/x01pnn0jjsw512cscxsbxzrjmz64n4cc
- http://www.openwall.com/lists/oss-security/2022/11/15/2
- https://archiva.apache.org/security.html
- https://github.com/advisories/GHSA-463w-hxfv-g9f6
Affected Packages
maven:org.apache.archiva:archiva-common
Dependent packages: 14Dependent repositories: 55
Downloads:
Affected Version Ranges: < 2.2.9
Fixed in: 2.2.9
All affected versions: 2.2.0, 2.2.1, 2.2.3, 2.2.4
All unaffected versions: