Vulners
Lucene search
Apache Archiva 2.2.3 Cross Site Scripting / File Write / Delete Vulnerabilities
| Reporter | Title | Published | Views | Family All 23 |
|---|---|---|---|---|
 | Apache Archiva Input Validation Error Vulnerability | 30 Apr 201900:00 | – | cnvd |
| Apache Archiva Input Validation Error Vulnerability (CNVD-2019-26509) | 30 Apr 201900:00 | – | cnvd |
 | CVE-2019-0213 | 30 Apr 201921:35 | – | cve |
| CVE-2019-0214 | 30 Apr 201921:48 | – | cve |
 | CVE-2019-0213 | 30 Apr 201921:35 | – | cvelist |
| CVE-2019-0214 | 30 Apr 201921:48 | – | cvelist |
 | EUVD-2019-0462 | 7 Oct 202500:30 | – | euvd |
| EUVD-2019-0474 | 7 Oct 202500:30 | – | euvd |
 | Cross-site scripting in Apache Archiva | 14 May 201904:00 | – | github |
| Improper Input Validation in Apache Archiva | 14 May 201904:00 | – | github |
10
CVE-2019-0213: Apache Archiva Stored XSS
Severity: Low
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Archiva 2.0.0 - 2.2.3
The unsupported versions 1.x are also affected.
It may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL.
The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication
between the browser and the Archiva server must be compromised.
Mitigation:
All users are recommended to upgrade to Archiva 2.2.4 or higher,
References:
http://archiva.apache.org/security.html#CVE-2019-0213
The newest Archiva version can be downloaded from:
http://archiva.apache.org/download.cgi
---------------------
CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server
Severity: Medium
It is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism.
Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.
Mitigation:
It is highly recommended to upgrade to Archiva 2.2.4 or higher, where additional validations are implemented to prevent such malicious parameter values.
As intermediate action you may reduce the number of users that are allowed to upload to archiva and make sure, that the archiva run user may have only
write permission to the directories needed.
References:
http://archiva.apache.org/security.html#CVE-2019-0214
The newest Archiva version can be downloaded from:
http://archiva.apache.org/download.cgi
# 0day.today [2019-05-01] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 May 2019 00:00Current
EPSS0.01647