Google Git
Sign in
apache / archiva-site / 623144545e9638f4647af26dc0bca62937ef00c9 / . / src / site / apt / security.apt
blob: cd2c6c9373e581a6285d10c87e4a45d2e655edac [file] [log] [blame]
------
Security Vulnerabilities
------
~~ Licensed to the Apache Software Foundation (ASF) under one
~~ or more contributor license agreements. See the NOTICE file
~~ distributed with this work for additional information
~~ regarding copyright ownership. The ASF licenses this file
~~ to you under the Apache License, Version 2.0 (the
~~ "License"); you may not use this file except in compliance
~~ with the License. You may obtain a copy of the License at
~~
~~ http://www.apache.org/licenses/LICENSE-2.0
~~
~~ Unless required by applicable law or agreed to in writing,
~~ software distributed under the License is distributed on an
~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~~ KIND, either express or implied. See the License for the
~~ specific language governing permissions and limitations
~~ under the License.
~~ NOTE: For help with the syntax of this file, see:
~~ http://maven.apache.org/guides/mini/guide-apt-format.html
Security Vulnerabilities
Please note that binary patches are not produced for individual vulnerabilities. To obtain the binary fix for a particular
vulnerability you should upgrade to an Apache Archiva version where that vulnerability has been fixed.
For more information about reporting vulnerabilities, see the
{{{http://www.apache.org/security/} Apache Security Team}} page.
This is a list of known issues
%{toc|fromDepth=2|toDepth=2}
* {CVE-2017-5657}: Apache Archiva CSRF vulnerabilities for various REST endpoints
Several REST service endpoints of Apache Archiva are not protected against CSRF attacks.
A malicious site opened in the same browser as the archiva site, may send HTML response
that performs arbitrary actions on archiva services, with the same rights as the active archiva
session (e.g. adminstrator rights).
Versions Affected:
* All versions before 2.2.3
Mitigation:
* Upgrade to {{{./download.html} Archiva 2.2.3 or higher}}, where additional measures are taken to verify
the origin of REST requests.
* {CVE-2013-2251}: Apache Archiva Remote Command Execution
Apache Archiva is affected by a vulnerability in the version of the Struts
library being used, which allows a malicious user to run code on the
server remotely. More details about the vulnerability can be found at
{{http://struts.apache.org/release/2.3.x/docs/s2-016.html}}.
Versions Affected:
* Archiva 1.3 to Archiva 1.3.6
* The unsupported versions Archiva 1.2 to 1.2.2 are also affected.
[]
All users are recommended to upgrade to {{{./download.cgi} Archiva 2.0.1
or Archiva 1.3.8}}, which are not affected by this issue.
Archiva 2.0.0 and later is not affected by this issue.
* {CVE-2013-2187}: Apache Archiva Cross-Site Scripting vulnerability
A request that included a specially crafted request parameter could be used
to inject arbitrary HTML or Javascript into the Archiva home page.
Versions Affected:
* Archiva 1.3 to Archiva 1.3.6
* The unsupported versions Archiva 1.2 to 1.2.2 are also affected.
[]
All users are recommended to upgrade to {{{./download.cgi} Archiva 2.0.1
or Archiva 1.3.8}}, which are not affected by this issue.
Archiva 2.0.0 and later is not affected by this issue.
* {CVE-2010-1870}: Struts2 remote commands execution
Apache Archiva is affected by a vulnerability in the version of the Struts
library being used, which allows a malicious user to run code on the
server remotely. More details about the vulnerability can be found at
{{http://struts.apache.org/2.2.1/docs/s2-005.html}}.
Versions Affected:
* Archiva 1.3 to Archiva 1.3.5
* The unsupported versions Archiva 1.2 to 1.2.2 are also affected.
[]
All users are recommended to upgrade to {{{./download.cgi} Archiva
1.3.6}}, which configures Struts in such a way that it is not affected by
this issue.
Archiva 1.4-M3 and later is not affected by this issue.
* {CVE-2011-1077}: Multiple XSS issues
Apache Archiva is vulnerable to multiple XSS issues, both stored (persistent) and reflected (non-persistent). Javascript which
might contain malicious code can be appended in a request parameter or stored as a value in a submitted form, and get executed.
Versions Affected:
* Archiva 1.3 to 1.3.4
* The unsupported versions Archiva 1.0 to 1.2.2 are also affected.
[]
* {CVE-2011-1026}: Multiple CSRF issues
An attacker can build a simple html page containing a hidden Image tag (eg: <<<<img src=vulnurl width=0 height=0 />>>>) and
entice the administrator to access the page.
Versions Affected:
* Archiva 1.3 to 1.3.4
* The unsupported versions Archiva 1.0 to 1.2.2 are also affected.
[]
* {CVE-2011-0533}: Apache Archiva cross-site scripting vulnerability
A request that included a specially crafted request parameter could be used to inject arbitrary HTML or Javascript into the
Archiva user management page. This fix is available in version {{{./download.html} 1.3.4}} of Apache Archiva. All users must
upgrade to this version (or higher).
Versions Affected:
* Archiva 1.3 to 1.3.3
* The unsupported versions Archiva 1.0 to 1.2.2 are also affected.
[]
* {CVE-2010-3449}: Apache Archiva CSRF Vulnerability
Apache Archiva doesn't check which form sends credentials. An attacker can create a specially crafted page and force
archiva administrators to view it and change their credentials. To fix this, a referrer check was added to the security
interceptor for all secured actions. A prompt for the administrator's password when changing a user account was also set
in place. This fix is available in version {{{./download.html} 1.3.2}} of Apache Archiva. All users must upgrade to this
version (or higher).
Versions Affected:
* Archiva 1.3 to 1.3.1
* Archiva 1.2 to 1.2.2 (end of life)
* Archiva 1.1 to 1.1.4 (end of life)
* Archiva 1.0 to 1.0.3 (end of life)
[]