| ------ |
| Security Vulnerabilities |
| ------ |
| |
| ~~ Licensed to the Apache Software Foundation (ASF) under one |
| ~~ or more contributor license agreements. See the NOTICE file |
| ~~ distributed with this work for additional information |
| ~~ regarding copyright ownership. The ASF licenses this file |
| ~~ to you under the Apache License, Version 2.0 (the |
| ~~ "License"); you may not use this file except in compliance |
| ~~ with the License. You may obtain a copy of the License at |
| ~~ |
| ~~ http://www.apache.org/licenses/LICENSE-2.0 |
| ~~ |
| ~~ Unless required by applicable law or agreed to in writing, |
| ~~ software distributed under the License is distributed on an |
| ~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| ~~ KIND, either express or implied. See the License for the |
| ~~ specific language governing permissions and limitations |
| ~~ under the License. |
| |
| ~~ NOTE: For help with the syntax of this file, see: |
| ~~ http://maven.apache.org/guides/mini/guide-apt-format.html |
| |
| |
| Security Vulnerabilities |
| |
| Please note that binary patches are not produced for individual vulnerabilities. To obtain the binary fix for a particular |
| vulnerability you should upgrade to an Apache Archiva version where that vulnerability has been fixed. |
| |
| For more information about reporting vulnerabilities, see the |
| {{{http://www.apache.org/security/} Apache Security Team}} page. |
| |
| * CVE-2013-2251: Apache Archiva Remote Command Execution |
| |
| Apache Archiva is affected by a vulnerability in the version of the Struts |
| library being used, which allows a malicious user to run code on the |
| server remotely. More details about the vulnerability can be found at |
| {{http://struts.apache.org/release/2.3.x/docs/s2-016.html}}. |
| |
| Versions Affected: |
| |
| * Archiva 1.3 to Archiva 1.3.6 |
| |
| * The unsupported versions Archiva 1.2 to 1.2.2 are also affected. |
| |
| [] |
| |
| All users are recommended to upgrade to {{{./download.cgi} Archiva 2.0.1 |
| or Archiva 1.3.8}}, which are not affected by this issue. |
| |
| Archiva 2.0.0 and later is not affected by this issue. |
| |
| * CVE-2013-2187: Apache Archiva Cross-Site Scripting vulnerability |
| |
| A request that included a specially crafted request parameter could be used |
| to inject arbitrary HTML or Javascript into the Archiva home page. |
| |
| Versions Affected: |
| |
| * Archiva 1.3 to Archiva 1.3.6 |
| |
| * The unsupported versions Archiva 1.2 to 1.2.2 are also affected. |
| |
| [] |
| |
| All users are recommended to upgrade to {{{./download.cgi} Archiva 2.0.1 |
| or Archiva 1.3.8}}, which are not affected by this issue. |
| |
| Archiva 2.0.0 and later is not affected by this issue. |
| |
| * CVE-2010-1870: Struts2 remote commands execution |
| |
| Apache Archiva is affected by a vulnerability in the version of the Struts |
| library being used, which allows a malicious user to run code on the |
| server remotely. More details about the vulnerability can be found at |
| {{http://struts.apache.org/2.2.1/docs/s2-005.html}}. |
| |
| Versions Affected: |
| |
| * Archiva 1.3 to Archiva 1.3.5 |
| |
| * The unsupported versions Archiva 1.2 to 1.2.2 are also affected. |
| |
| [] |
| |
| All users are recommended to upgrade to {{{./download.cgi} Archiva |
| 1.3.6}}, which configures Struts in such a way that it is not affected by |
| this issue. |
| |
| Archiva 1.4-M3 and later is not affected by this issue. |
| |
| * CVE-2011-1077: Multiple XSS issues |
| |
| Apache Archiva is vulnerable to multiple XSS issues, both stored (persistent) and reflected (non-persistent). Javascript which |
| might contain malicious code can be appended in a request parameter or stored as a value in a submitted form, and get executed. |
| |
| Versions Affected: |
| |
| * Archiva 1.3 to 1.3.4 |
| |
| * The unsupported versions Archiva 1.0 to 1.2.2 are also affected. |
| |
| [] |
| |
| * CVE-2011-1026: Multiple CSRF issues |
| |
| An attacker can build a simple html page containing a hidden Image tag (eg: <<<<img src=vulnurl width=0 height=0 />>>>) and |
| entice the administrator to access the page. |
| |
| Versions Affected: |
| |
| * Archiva 1.3 to 1.3.4 |
| |
| * The unsupported versions Archiva 1.0 to 1.2.2 are also affected. |
| |
| [] |
| |
| * CVE-2011-0533: Apache Archiva cross-site scripting vulnerability |
| |
| A request that included a specially crafted request parameter could be used to inject arbitrary HTML or Javascript into the |
| Archiva user management page. This fix is available in version {{{./download.html} 1.3.4}} of Apache Archiva. All users must |
| upgrade to this version (or higher). |
| |
| Versions Affected: |
| |
| * Archiva 1.3 to 1.3.3 |
| |
| * The unsupported versions Archiva 1.0 to 1.2.2 are also affected. |
| |
| [] |
| |
| * CVE-2010-3449: Apache Archiva CSRF Vulnerability |
| |
| Apache Archiva doesn't check which form sends credentials. An attacker can create a specially crafted page and force |
| archiva administrators to view it and change their credentials. To fix this, a referrer check was added to the security |
| interceptor for all secured actions. A prompt for the administrator's password when changing a user account was also set |
| in place. This fix is available in version {{{./download.html} 1.3.2}} of Apache Archiva. All users must upgrade to this |
| version (or higher). |
| |
| Versions Affected: |
| |
| * Archiva 1.3 to 1.3.1 |
| |
| * Archiva 1.2 to 1.2.2 (end of life) |
| |
| * Archiva 1.1 to 1.1.4 (end of life) |
| |
| * Archiva 1.0 to 1.0.3 (end of life) |
| |
| [] |
| |
