In Apache Archiva before 2.2.4, it is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.
archiva.apache.org/security.html#CVE-2019-0213
packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html
www.openwall.com/lists/oss-security/2019/04/30/7
www.securityfocus.com/bid/108123
lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3@%3Cusers.archiva.apache.org%3E
lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d@%3Cannounce.apache.org%3E
lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb@%3Cissues.archiva.apache.org%3E
lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97@%3Cusers.maven.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2019-0213
seclists.org/bugtraq/2019/Apr/47