Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oZjRwLW1oYzgteDJncM4AATm7
Apache Archiva vulnerable to Cross Site Request Forgery
Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forgery (CSRF) attacks. A malicious site opened in the same browser as the archiva site, may send an HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session (e.g. administrator rights).
Permalink: https://github.com/advisories/GHSA-hf4p-mhc8-x2gpJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oZjRwLW1oYzgteDJncM4AATm7
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 8.0
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-hf4p-mhc8-x2gp, CVE-2017-5657
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-5657
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
- http://archiva.apache.org/security.html#CVE-2017-5657
- http://www.securityfocus.com/bid/98570
- https://web.archive.org/web/20211206215453/https://securitytracker.com/id/1038528
- https://github.com/advisories/GHSA-hf4p-mhc8-x2gp
Affected Packages
maven:org.apache.archiva:archiva
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 2.2.3
Fixed in: 2.2.3
All affected versions: 2.2.0, 2.2.1
All unaffected versions: 2.2.3, 2.2.4