5 matches found
CVE-2022-29405
In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8
CVE-2022-40308
If anonymous read enabled, it's possible to read the database file directly without logging in.
CVE-2020-9495
Apache Archiva login service before 2.2.5 is vulnerable to LDAP injection. A attacker is able to retrieve user attribute data from the connected LDAP server by providing special values to the login form. With certain characters it is possible to modify the LDAP filter used to query the LDAP users. ...
CVE-2019-0213
In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva s...
CVE-2022-40309
Users with write permissions to a repository can delete arbitrary directories.