 ------
 Security Vulnerabilities
 ------

~~ Licensed to the Apache Software Foundation (ASF) under one
~~ or more contributor license agreements.  See the NOTICE file
~~ distributed with this work for additional information
~~ regarding copyright ownership.  The ASF licenses this file
~~ to you under the Apache License, Version 2.0 (the
~~ "License"); you may not use this file except in compliance
~~ with the License.  You may obtain a copy of the License at
~~
~~   http://www.apache.org/licenses/LICENSE-2.0
~~
~~ Unless required by applicable law or agreed to in writing,
~~ software distributed under the License is distributed on an
~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~~ KIND, either express or implied.  See the License for the
~~ specific language governing permissions and limitations
~~ under the License.

~~ NOTE: For help with the syntax of this file, see:
~~ http://maven.apache.org/guides/mini/guide-apt-format.html


Security Vulnerabilities

  Please note that binary patches are not produced for individual vulnerabilities. To obtain the binary fix for a particular 
  vulnerability you should upgrade to an Apache Archiva version where that vulnerability has been fixed.

  For more information about reporting vulnerabilities, see the
  {{{http://www.apache.org/security/} Apache Security Team}} page.


  This is a list of known issues

%{toc|fromDepth=2|toDepth=2}


* {CVE-2019-0213}: Apache Archiva XSS may be stored in central UI configuration

  It may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL.
  The vulnerability is considered as minor risk, as only users with admin role can change the configuration,
  or the communication between the browser and the Archiva server must be compromised. 

  Versions Affected:

    * All versions before 2.2.4

  Mitigation:

    * Upgrade to {{{./download.cgi} Archiva 2.2.4 or higher}}
 
    * Make sure, that communication between Archiva server and browser is secure by using TLS and only certain users
       are assigned to admin role.


* {CVE-2019-0214}: Apache Archiva arbitrary file write and delete on the server

  It is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism.
  Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.

  Versions Affected:

    * All versions before 2.2.4

  Mitigation:

    * It is highly recommended to upgrade to {{{./download.cgi} Archiva 2.2.4 or higher}}, where additional validations are implemented
       to prevent such malicious parameter values.

    * As intermediate action you may reduce the number of users that are allowed to upload to archiva and make sure, that the archiva run user 
        may have only write permission to the directories needed.


* {CVE-2017-5657}: Apache Archiva CSRF vulnerabilities for various REST endpoints

  Several REST service endpoints of Apache Archiva are not protected against CSRF attacks.
  A malicious site opened in the same browser as the archiva site, may send HTML response
  that performs arbitrary actions on archiva services, with the same rights as the active archiva
  session (e.g. adminstrator rights).

  Versions Affected:

    * All versions before 2.2.3

  Mitigation:

    * Upgrade to {{{./download.html} Archiva 2.2.3 or higher}}, where additional measures are taken to verify
      the origin of REST requests.


* {CVE-2013-2251}: Apache Archiva Remote Command Execution

  Apache Archiva is affected by a vulnerability in the version of the Struts
  library being used, which allows a malicious user to run code on the
  server remotely. More details about the vulnerability can be found at
  {{http://struts.apache.org/release/2.3.x/docs/s2-016.html}}.

  Versions Affected:

    * Archiva 1.3 to Archiva 1.3.6

  * The unsupported versions Archiva 1.2 to 1.2.2 are also affected.

    []

  All users are recommended to upgrade to {{{./download.cgi} Archiva 2.0.1
  or Archiva 1.3.8}}, which are not affected by this issue.

  Archiva 2.0.0 and later is not affected by this issue.

* {CVE-2013-2187}: Apache Archiva Cross-Site Scripting vulnerability

  A request that included a specially crafted request parameter could be used
  to inject arbitrary HTML or Javascript into the Archiva home page.

  Versions Affected:

    * Archiva 1.3 to Archiva 1.3.6

  * The unsupported versions Archiva 1.2 to 1.2.2 are also affected.

    []

  All users are recommended to upgrade to {{{./download.cgi} Archiva 2.0.1
  or Archiva 1.3.8}}, which are not affected by this issue.

  Archiva 2.0.0 and later is not affected by this issue.

* {CVE-2010-1870}: Struts2 remote commands execution

  Apache Archiva is affected by a vulnerability in the version of the Struts
  library being used, which allows a malicious user to run code on the
  server remotely. More details about the vulnerability can be found at
  {{http://struts.apache.org/2.2.1/docs/s2-005.html}}.

  Versions Affected:

    * Archiva 1.3 to Archiva 1.3.5

  * The unsupported versions Archiva 1.2 to 1.2.2 are also affected.

    []

  All users are recommended to upgrade to {{{./download.cgi} Archiva
  1.3.6}}, which configures Struts in such a way that it is not affected by 
  this issue.

  Archiva 1.4-M3 and later is not affected by this issue.

* {CVE-2011-1077}: Multiple XSS issues

  Apache Archiva is vulnerable to multiple XSS issues, both stored (persistent) and reflected (non-persistent). Javascript which
  might contain malicious code can be appended in a request parameter or stored as a value in a submitted form, and get executed.

  Versions Affected:

  * Archiva 1.3 to 1.3.4

  * The unsupported versions Archiva 1.0 to 1.2.2 are also affected.

  []

* {CVE-2011-1026}: Multiple CSRF issues

  An attacker can build a simple html page containing a hidden Image tag (eg: <<<<img src=vulnurl width=0 height=0 />>>>) and
  entice the administrator to access the page.

  Versions Affected:

  * Archiva 1.3 to 1.3.4

  * The unsupported versions Archiva 1.0 to 1.2.2 are also affected.

  []  

* {CVE-2011-0533}: Apache Archiva cross-site scripting vulnerability

  A request that included a specially crafted request parameter could be used to inject arbitrary HTML or Javascript into the
  Archiva user management page. This fix is available in version {{{./download.html} 1.3.4}} of Apache Archiva. All users must
  upgrade to this version (or higher).

  Versions Affected:

    * Archiva 1.3 to 1.3.3

    * The unsupported versions Archiva 1.0 to 1.2.2 are also affected.
    
    []

* {CVE-2010-3449}: Apache Archiva CSRF Vulnerability

  Apache Archiva doesn't check which form sends credentials. An attacker can create a specially crafted page and force
  archiva administrators to view it and change their credentials. To fix this, a referrer check was added to the security
  interceptor for all secured actions. A prompt for the administrator's password when changing a user account was also set
  in place. This fix is available in version {{{./download.html} 1.3.2}} of Apache Archiva. All users must upgrade to this
  version (or higher).

  Versions Affected:

    * Archiva 1.3 to 1.3.1

    * Archiva 1.2 to 1.2.2 (end of life)

    * Archiva 1.1 to 1.1.4 (end of life)

    * Archiva 1.0 to 1.0.3 (end of life)

    []