| ------ |
| Security Vulnerabilities |
| ------ |
| |
| ~~ Licensed to the Apache Software Foundation (ASF) under one |
| ~~ or more contributor license agreements. See the NOTICE file |
| ~~ distributed with this work for additional information |
| ~~ regarding copyright ownership. The ASF licenses this file |
| ~~ to you under the Apache License, Version 2.0 (the |
| ~~ "License"); you may not use this file except in compliance |
| ~~ with the License. You may obtain a copy of the License at |
| ~~ |
| ~~ http://www.apache.org/licenses/LICENSE-2.0 |
| ~~ |
| ~~ Unless required by applicable law or agreed to in writing, |
| ~~ software distributed under the License is distributed on an |
| ~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| ~~ KIND, either express or implied. See the License for the |
| ~~ specific language governing permissions and limitations |
| ~~ under the License. |
| |
| ~~ NOTE: For help with the syntax of this file, see: |
| ~~ http://maven.apache.org/guides/mini/guide-apt-format.html |
| |
| |
| Security Vulnerabilities |
| |
| Please note that binary patches are not produced for individual vulnerabilities. To obtain the binary fix for a particular |
| vulnerability you should upgrade to an Apache Archiva version where that vulnerability has been fixed. |
| |
| For more information about reporting vulnerabilities, see the |
| {{{http://www.apache.org/security/} Apache Security Team}} page. |
| |
| |
| This is a list of known issues |
| |
| %{toc|fromDepth=2|toDepth=2} |
| |
| * {CVE-2022-29405}: Apache Archiva Arbitrary user password reset vulnerability |
| |
| * {CVE-2021-45105}: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation |
| |
| This may be used by attackers, if users changed the default Archiva log4j2.xml configuration. |
| |
| * {CVE-2021-45046}: Apache log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations |
| |
| This may be used by attackers, if users changed the default Archiva log4j2.xml configuration. |
| |
| * {CVE-2021-44228}: Apache log4j2 is vulnerable to remote code execution |
| |
| As mentioned in this CVE Apache log4j2 libraries are vulnerable to remote code execution. |
| Archiva is using log4j2 libraries and is therefore vulnerable to the same scenarios mentioned in this CVE. |
| Attackers may be able to inject statements into the HTTP requests which may be interpreted by the logging library |
| and lead to the download of arbitrary code from remote servers. |
| |
| |
| * {CVE-2020-9495}: Apache Archiva login service is vulnerable to LDAP injection |
| |
| By providing special values to the archiva login form a attacker is able to retrieve user attribute data from the connected LDAP server. |
| With certain characters it is possible to modify the LDAP filter used to query the users on the connected LDAP server. |
| By measuring the response time, arbitrary attribute data can be retrieved from LDAP user objects. |
| |
| Versions Affected: |
| |
| * All versions before 2.2.5 |
| |
| Mitigation: |
| |
| * Upgrade to {{{./download.cgi} Archiva 2.2.5 or higher}} |
| |
| |
| * {CVE-2019-0213}: Apache Archiva XSS may be stored in central UI configuration |
| |
| It may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. |
| The vulnerability is considered as minor risk, as only users with admin role can change the configuration, |
| or the communication between the browser and the Archiva server must be compromised. |
| |
| Versions Affected: |
| |
| * All versions before 2.2.4 |
| |
| Mitigation: |
| |
| * Upgrade to {{{./download.cgi} Archiva 2.2.4 or higher}} |
| |
| * Make sure, that communication between Archiva server and browser is secure by using TLS and only certain users |
| are assigned to admin role. |
| |
| |
| * {CVE-2019-0214}: Apache Archiva arbitrary file write and delete on the server |
| |
| It is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. |
| Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file. |
| |
| Versions Affected: |
| |
| * All versions before 2.2.4 |
| |
| Mitigation: |
| |
| * It is highly recommended to upgrade to {{{./download.cgi} Archiva 2.2.4 or higher}}, where additional validations are implemented |
| to prevent such malicious parameter values. |
| |
| * As intermediate action you may reduce the number of users that are allowed to upload to archiva and make sure, that the archiva run user |
| may have only write permission to the directories needed. |
| |
| |
| * {CVE-2017-5657}: Apache Archiva CSRF vulnerabilities for various REST endpoints |
| |
| Several REST service endpoints of Apache Archiva are not protected against CSRF attacks. |
| A malicious site opened in the same browser as the archiva site, may send HTML response |
| that performs arbitrary actions on archiva services, with the same rights as the active archiva |
| session (e.g. adminstrator rights). |
| |
| Versions Affected: |
| |
| * All versions before 2.2.3 |
| |
| Mitigation: |
| |
| * Upgrade to {{{./download.html} Archiva 2.2.3 or higher}}, where additional measures are taken to verify |
| the origin of REST requests. |
| |
| |
| * {CVE-2013-2251}: Apache Archiva Remote Command Execution |
| |
| Apache Archiva is affected by a vulnerability in the version of the Struts |
| library being used, which allows a malicious user to run code on the |
| server remotely. More details about the vulnerability can be found at |
| {{http://struts.apache.org/release/2.3.x/docs/s2-016.html}}. |
| |
| Versions Affected: |
| |
| * Archiva 1.3 to Archiva 1.3.6 |
| |
| * The unsupported versions Archiva 1.2 to 1.2.2 are also affected. |
| |
| [] |
| |
| All users are recommended to upgrade to {{{./download.cgi} Archiva 2.0.1 |
| or Archiva 1.3.8}}, which are not affected by this issue. |
| |
| Archiva 2.0.0 and later is not affected by this issue. |
| |
| * {CVE-2013-2187}: Apache Archiva Cross-Site Scripting vulnerability |
| |
| A request that included a specially crafted request parameter could be used |
| to inject arbitrary HTML or Javascript into the Archiva home page. |
| |
| Versions Affected: |
| |
| * Archiva 1.3 to Archiva 1.3.6 |
| |
| * The unsupported versions Archiva 1.2 to 1.2.2 are also affected. |
| |
| [] |
| |
| All users are recommended to upgrade to {{{./download.cgi} Archiva 2.0.1 |
| or Archiva 1.3.8}}, which are not affected by this issue. |
| |
| Archiva 2.0.0 and later is not affected by this issue. |
| |
| * {CVE-2010-1870}: Struts2 remote commands execution |
| |
| Apache Archiva is affected by a vulnerability in the version of the Struts |
| library being used, which allows a malicious user to run code on the |
| server remotely. More details about the vulnerability can be found at |
| {{http://struts.apache.org/2.2.1/docs/s2-005.html}}. |
| |
| Versions Affected: |
| |
| * Archiva 1.3 to Archiva 1.3.5 |
| |
| * The unsupported versions Archiva 1.2 to 1.2.2 are also affected. |
| |
| [] |
| |
| All users are recommended to upgrade to {{{./download.cgi} Archiva |
| 1.3.6}}, which configures Struts in such a way that it is not affected by |
| this issue. |
| |
| Archiva 1.4-M3 and later is not affected by this issue. |
| |
| * {CVE-2011-1077}: Multiple XSS issues |
| |
| Apache Archiva is vulnerable to multiple XSS issues, both stored (persistent) and reflected (non-persistent). Javascript which |
| might contain malicious code can be appended in a request parameter or stored as a value in a submitted form, and get executed. |
| |
| Versions Affected: |
| |
| * Archiva 1.3 to 1.3.4 |
| |
| * The unsupported versions Archiva 1.0 to 1.2.2 are also affected. |
| |
| [] |
| |
| * {CVE-2011-1026}: Multiple CSRF issues |
| |
| An attacker can build a simple html page containing a hidden Image tag (eg: <<<<img src=vulnurl width=0 height=0 />>>>) and |
| entice the administrator to access the page. |
| |
| Versions Affected: |
| |
| * Archiva 1.3 to 1.3.4 |
| |
| * The unsupported versions Archiva 1.0 to 1.2.2 are also affected. |
| |
| [] |
| |
| * {CVE-2011-0533}: Apache Archiva cross-site scripting vulnerability |
| |
| A request that included a specially crafted request parameter could be used to inject arbitrary HTML or Javascript into the |
| Archiva user management page. This fix is available in version {{{./download.html} 1.3.4}} of Apache Archiva. All users must |
| upgrade to this version (or higher). |
| |
| Versions Affected: |
| |
| * Archiva 1.3 to 1.3.3 |
| |
| * The unsupported versions Archiva 1.0 to 1.2.2 are also affected. |
| |
| [] |
| |
| * {CVE-2010-3449}: Apache Archiva CSRF Vulnerability |
| |
| Apache Archiva doesn't check which form sends credentials. An attacker can create a specially crafted page and force |
| archiva administrators to view it and change their credentials. To fix this, a referrer check was added to the security |
| interceptor for all secured actions. A prompt for the administrator's password when changing a user account was also set |
| in place. This fix is available in version {{{./download.html} 1.3.2}} of Apache Archiva. All users must upgrade to this |
| version (or higher). |
| |
| Versions Affected: |
| |
| * Archiva 1.3 to 1.3.1 |
| |
| * Archiva 1.2 to 1.2.2 (end of life) |
| |
| * Archiva 1.1 to 1.1.4 (end of life) |
| |
| * Archiva 1.0 to 1.0.3 (end of life) |
| |
| [] |
| |
