Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWp4Z20tOWY1OC13NHhw
Improper Input Validation in Apache Archiva
In Apache Archiva 2.0.0 - 2.2.3, it is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.
Permalink: https://github.com/advisories/GHSA-jxgm-9f58-w4xpJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWp4Z20tOWY1OC13NHhw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 5 years ago
Updated: about 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-jxgm-9f58-w4xp, CVE-2019-0214
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-0214
- http://archiva.apache.org/security.html#CVE-2019-0214
- http://packetstormsecurity.com/files/152684/Apache-Archiva-2.2.3-File-Write-Delete.html
- http://www.openwall.com/lists/oss-security/2019/04/30/8
- https://lists.apache.org/thread.html/239349b6dd8f66cf87a70c287b03af451dea158b776d3dfc550b4f0e@%3Cusers.maven.apache.org%3E
- https://lists.apache.org/thread.html/5851cb0214f22ba681fb445870eeb6b01afd1fb614e45a22978d7dda@%3Cusers.archiva.apache.org%3E
- https://seclists.org/bugtraq/2019/Apr/48
- https://lists.apache.org/thread.html/18b670afc2f83034f47ebeb2f797c350fe60f1f2b33c95b95f467ef8@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb@%3Cissues.archiva.apache.org%3E
- http://www.securityfocus.com/bid/108124
- https://github.com/advisories/GHSA-jxgm-9f58-w4xp
Affected Packages
maven:org.apache.archiva:archiva
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 2.2.0, < 2.2.4
Fixed in: 2.2.4
All affected versions: 2.2.0, 2.2.1, 2.2.3
All unaffected versions: 2.2.4