Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWp4Z20tOWY1OC13NHhw

Improper Input Validation in Apache Archiva

In Apache Archiva 2.0.0 - 2.2.3, it is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.

Permalink: https://github.com/advisories/GHSA-jxgm-9f58-w4xp
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWp4Z20tOWY1OC13NHhw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: almost 2 years ago

CVSS Score: 6.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS Percentage: 0.00385
EPSS Percentile: 0.73514

Identifiers: GHSA-jxgm-9f58-w4xp, CVE-2019-0214
References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-0214
• http://archiva.apache.org/security.html#CVE-2019-0214
• http://packetstormsecurity.com/files/152684/Apache-Archiva-2.2.3-File-Write-Delete.html
• http://www.openwall.com/lists/oss-security/2019/04/30/8
• https://lists.apache.org/thread.html/239349b6dd8f66cf87a70c287b03af451dea158b776d3dfc550b4f0e@%3Cusers.maven.apache.org%3E
• https://lists.apache.org/thread.html/5851cb0214f22ba681fb445870eeb6b01afd1fb614e45a22978d7dda@%3Cusers.archiva.apache.org%3E
• https://seclists.org/bugtraq/2019/Apr/48
• https://lists.apache.org/thread.html/18b670afc2f83034f47ebeb2f797c350fe60f1f2b33c95b95f467ef8@%3Cannounce.apache.org%3E
• https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb@%3Cissues.archiva.apache.org%3E
• http://www.securityfocus.com/bid/108124
• https://github.com/advisories/GHSA-jxgm-9f58-w4xp

Blast Radius: 1.0

Affected Packages