Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1oZjRwLW1oYzgteDJncM4AATm7

Apache Archiva vulnerable to Cross Site Request Forgery

Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forgery (CSRF) attacks. A malicious site opened in the same browser as the archiva site, may send an HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session (e.g. administrator rights).

Permalink: https://github.com/advisories/GHSA-hf4p-mhc8-x2gp
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oZjRwLW1oYzgteDJncM4AATm7
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago


CVSS Score: 8.0
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Identifiers: GHSA-hf4p-mhc8-x2gp, CVE-2017-5657
References:

Affected Packages

maven:org.apache.archiva:archiva
Dependent packages: 0
Dependent repositories: 0
Downloads:
Affected Version Ranges: < 2.2.3
Fixed in: 2.2.3
All affected versions: 2.2.0, 2.2.1
All unaffected versions: 2.2.3, 2.2.4