Lucene search

GitHub Advisory DatabaseGHSA-JXGM-9F58-W4XP

HistoryMay 14, 2019 - 4:00 a.m.

Improper Input Validation in Apache Archiva

2019-05-1404:00:21

CWE-20

GitHub Advisory Database

github.com

CVSS2

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:P/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.004

Percentile

73.4%

JSON

In Apache Archiva 2.0.0 - 2.2.3, it is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.

Affected configurations

Vulners

Node

org.apache.archivaarchivaRange2.2.0–2.2.4

VendorProductVersionCPE
org.apache.archivaarchiva*cpe:2.3:a:org.apache.archiva:archiva:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.apache.archiva	archiva	*	cpe:2.3:a:org.apache.archiva:archiva::::::::

References

archiva.apache.org/security.html#CVE-2019-0214

packetstormsecurity.com/files/152684/Apache-Archiva-2.2.3-File-Write-Delete.html

www.openwall.com/lists/oss-security/2019/04/30/8

www.securityfocus.com/bid/108124

github.com/advisories/GHSA-jxgm-9f58-w4xp

lists.apache.org/thread.html/18b670afc2f83034f47ebeb2f797c350fe60f1f2b33c95b95f467ef8@%3Cannounce.apache.org%3E

lists.apache.org/thread.html/239349b6dd8f66cf87a70c287b03af451dea158b776d3dfc550b4f0e@%3Cusers.maven.apache.org%3E

lists.apache.org/thread.html/5851cb0214f22ba681fb445870eeb6b01afd1fb614e45a22978d7dda@%3Cusers.archiva.apache.org%3E

lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb@%3Cissues.archiva.apache.org%3E

nvd.nist.gov/vuln/detail/CVE-2019-0214

seclists.org/bugtraq/2019/Apr/48

CVSS2

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:P/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.004

Percentile

73.4%

JSON

Related for GHSA-JXGM-9F58-W4XP