Lucene search

GitHub Advisory DatabaseGHSA-RV4H-M4WC-V99W

HistoryMar 01, 2024 - 6:30 p.m.

Apache Archiva Incorrect Authorization vulnerability

2024-03-0118:30:23

CWE-863

GitHub Advisory Database

github.com

apache archiva

authorization

vulnerability

user registration

bypass

unsupported

retired

migration

untrusted users

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

Confidence

High

EPSS

Percentile

9.0%

JSON

UNSUPPORTED WHEN ASSIGNED Incorrect Authorization vulnerability in Apache Archiva.

Apache Archiva has a setting to disable user registration, however this restriction can be bypassed. As Apache Archiva has been retired, we do not expect to release a version of Apache Archiva that fixes this issue. You are recommended to look into migrating to a different solution, or isolate your instance from any untrusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer

Affected configurations

Vulners

Node

org.apache.archivaarchivaRange≤2.2.10

VendorProductVersionCPE
org.apache.archivaarchiva*cpe:2.3:a:org.apache.archiva:archiva:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.apache.archiva	archiva	*	cpe:2.3:a:org.apache.archiva:archiva::::::::

References

www.openwall.com/lists/oss-security/2024/03/01/4

github.com/advisories/GHSA-rv4h-m4wc-v99w

lists.apache.org/thread/070qcpclcb3sqk1hn8j5lvzohp30k1m2

nvd.nist.gov/vuln/detail/CVE-2024-27138

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for GHSA-RV4H-M4WC-V99W