archiva-web-common is vulnerable to arbitrary file write and delete. The vulnerability exists as it was possible to provide a malicious file path via the file name, causing the file write and delete operations to be executed on files that exists out of the temporary folders.
archiva.apache.org/security.html#CVE-2019-0214
packetstormsecurity.com/files/152684/Apache-Archiva-2.2.3-File-Write-Delete.html
www.openwall.com/lists/oss-security/2019/04/30/8
www.securityfocus.com/bid/108124
github.com/apache/archiva/compare/52b971c59333153f4fbeb779a4c1373316f579c4...cc0d8ad0b525e641855319812877fdc6c8cd327c
lists.apache.org/thread.html/18b670afc2f83034f47ebeb2f797c350fe60f1f2b33c95b95f467ef8@%3Cannounce.apache.org%3E
lists.apache.org/thread.html/239349b6dd8f66cf87a70c287b03af451dea158b776d3dfc550b4f0e@%3Cusers.maven.apache.org%3E
lists.apache.org/thread.html/5851cb0214f22ba681fb445870eeb6b01afd1fb614e45a22978d7dda@%3Cusers.archiva.apache.org%3E
lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb@%3Cissues.archiva.apache.org%3E
seclists.org/bugtraq/2019/Apr/48