Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWNxY2YtNGc0aC1yZ2hm

Cross-site scripting in Apache Archiva

In Apache Archiva before 2.2.4, it is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.

Permalink: https://github.com/advisories/GHSA-cqcf-4g4h-rghf
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWNxY2YtNGc0aC1yZ2hm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: almost 2 years ago

CVSS Score: 6.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Identifiers: GHSA-cqcf-4g4h-rghf, CVE-2019-0213
References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-0213
• https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3@%3Cusers.archiva.apache.org%3E
• https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d@%3Cannounce.apache.org%3E
• https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb@%3Cissues.archiva.apache.org%3E
• https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97@%3Cusers.maven.apache.org%3E
• https://seclists.org/bugtraq/2019/Apr/47
• http://archiva.apache.org/security.html#CVE-2019-0213
• http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html
• http://www.openwall.com/lists/oss-security/2019/04/30/7
• http://www.securityfocus.com/bid/108123
• https://github.com/advisories/GHSA-cqcf-4g4h-rghf

Blast Radius: 1.0

Affected Packages