| <!DOCTYPE html> |
| <!-- |
| | Generated by Apache Maven Doxia Site Renderer 1.8.1 |
| | Rendered using Apache Maven Fluido Skin 1.6 |
| --> |
| <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> |
| <head> |
| <meta charset="UTF-8" /> |
| <meta name="viewport" content="width=device-width, initial-scale=1.0" /> |
| <meta http-equiv="Content-Language" content="en" /> |
| <title>Archiva – Security Vulnerabilities</title> |
| <link rel="stylesheet" href="./css/apache-maven-fluido-1.6.min.css" /> |
| <link rel="stylesheet" href="./css/site.css" /> |
| <link rel="stylesheet" href="./css/print.css" media="print" /> |
| <script type="text/javascript" src="./js/apache-maven-fluido-1.6.min.js"></script> |
| <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.5.0/css/font-awesome.min.css"> |
| |
| |
| <!-- Google Analytics --> |
| <script src='//www.google-analytics.com/analytics.js'></script> |
| <script> |
| window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date; |
| |
| ga('create', 'UA-140879-5', 'auto'); |
| ga('send', 'pageview'); |
| |
| </script> |
| </head> |
| <body class="topBarEnabled"> |
| <a href="https://github.com/apache/archiva"> |
| <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;" |
| src="https://s3.amazonaws.com/github/ribbons/forkme_right_gray_6d6d6d.png" |
| alt="Fork me on GitHub"> |
| </a> |
| <div id="topbar" class="navbar navbar-fixed-top "> |
| <div class="navbar-inner"> |
| <div class="container"><div class="nav-collapse"> |
| <ul class="nav"> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown">Introduction <b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li><a href="index.html" title="About">About</a></li> |
| <li><a href="download.html" title="Downloads">Downloads</a></li> |
| <li><a href="versions.html" title="Versions">Versions</a></li> |
| <li><a href="mailing-lists.html" title="Mailing Lists">Mailing Lists</a></li> |
| <li><a href="security.html" title="Security">Security</a></li> |
| <li class="dropdown-submenu"> |
| <a href="" title="Documentation">Documentation</a> |
| <ul class="dropdown-menu"> |
| <li><a href="docs/2.2.5/" title="Release 2.2.5">Release 2.2.5</a></li> |
| <li><a href="docs/3.0.0-SNAPSHOT/" title="Dev 3.0.0-SNAPSHOT">Dev 3.0.0-SNAPSHOT</a></li> |
| </ul> |
| </li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown">Development <b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li><a href="developers/building.html" title="Build Apache Archiva">Build Apache Archiva</a></li> |
| <li><a href="get-involved.html" title="Get involved">Get involved</a></li> |
| <li><a href="developers/how-we-do-things.html" title="How we do things">How we do things</a></li> |
| <li class="dropdown-submenu"> |
| <a href="" title="Developer Reference">Developer Reference</a> |
| <ul class="dropdown-menu"> |
| <li><a href="ref/2.2.5/index.html" title="Archiva 2.2.5">Archiva 2.2.5</a></li> |
| <li><a href="ref/3.0.0-SNAPSHOT/index.html" title="Archiva 3.0.0-SNAPSHOT">Archiva 3.0.0-SNAPSHOT</a></li> |
| <li><a href="redback/core/3.0.0-SNAPSHOT/index.html" title="Redback 3.0.0-SNAPSHOT">Redback 3.0.0-SNAPSHOT</a></li> |
| </ul> |
| </li> |
| <li><a href="redback/index.html" title="Redback">Redback</a></li> |
| <li><a href="components/index.html" title="Archiva Components Project">Archiva Components Project</a></li> |
| <li class="dropdown-submenu"> |
| <a href="jsui/index.html" title="Javascript application Architecture">Javascript application Architecture</a> |
| <ul class="dropdown-menu"> |
| <li><a href="jsui/rest.html" title="Rest service">Rest service</a></li> |
| <li><a href="jsui/template-loading.html" title="JS Template loading">JS Template loading</a></li> |
| <li><a href="jsui/i18n.html" title="i18n">i18n</a></li> |
| <li><a href="jsui/knockout-binding.html" title="Knockout Binding">Knockout Binding</a></li> |
| <li><a href="jsui/generics-js.html" title="Generic Javascipts">Generic Javascipts</a></li> |
| </ul> |
| </li> |
| <li><a href="developers/releasing.html" title="Releasing">Releasing</a></li> |
| <li><a href="developers/publishing-site.html" title="Site Publish">Site Publish</a></li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown">ASF <b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li><a href="https://www.apache.org/foundation/how-it-works.html" title="How Apache Works">How Apache Works</a></li> |
| <li><a href="https://www.apache.org/foundation/" title="Foundation">Foundation</a></li> |
| <li><a href="https://www.apache.org/foundation/sponsorship.html" title="Sponsoring Apache">Sponsoring Apache</a></li> |
| <li><a href="https://www.apache.org/foundation/thanks.html" title="Thanks">Thanks</a></li> |
| </ul> |
| </li> |
| <li class="dropdown"> |
| <a href="#" class="dropdown-toggle" data-toggle="dropdown">Project Documentation <b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li class="dropdown-submenu"> |
| <a href="project-info.html" title="Project Information">Project Information</a> |
| <ul class="dropdown-menu"> |
| <li><a href="ci-management.html" title="CI Management">CI Management</a></li> |
| <li><a href="mailing-lists.html" title="Mailing Lists">Mailing Lists</a></li> |
| <li><a href="issue-management.html" title="Issue Management">Issue Management</a></li> |
| <li><a href="licenses.html" title="Licenses">Licenses</a></li> |
| <li><a href="team.html" title="Team">Team</a></li> |
| <li><a href="scm.html" title="Source Code Management">Source Code Management</a></li> |
| </ul> |
| </li> |
| </ul> |
| </li> |
| </ul> |
| <form id="search-form" action="https://www.google.com/search" method="get" class="navbar-search pull-right" > |
| <input value="https://archiva.apache.org/" name="sitesearch" type="hidden"/> |
| <input class="search-query" name="q" id="query" type="text" /> |
| </form> |
| <script type="text/javascript">asyncJs( 'https://cse.google.com/brand?form=search-form' )</script> |
| </div> |
| </div> |
| </div> |
| </div> |
| <div class="container"> |
| <div id="banner"> |
| <div class="pull-left"><a href="http://archiva.apache.org/index.html" id="bannerLeft"><img src="http://archiva.apache.org/images/archiva.png" alt="Apache Archiva"/></a></div> |
| <div class="pull-right"><a href="http://www.apache.org/" id="bannerRight"><img src="https://www.apache.org/images/asf_logo_wide_2016.png" alt="Apache Software Foundation"/></a></div> |
| <div class="clear"><hr/></div> |
| </div> |
| |
| <div id="breadcrumbs"> |
| <ul class="breadcrumb"> |
| <li class=""><a href="https://www.apache.org" class="externalLink" title="Apache">Apache</a><span class="divider">/</span></li> |
| <li class=""><a href="./" title="Archiva">Archiva</a><span class="divider">/</span></li> |
| <li class="active ">Security Vulnerabilities</li> |
| <li id="publishDate" class="pull-right">Last Published: 15 Jun 2020</li> |
| </ul> |
| </div> |
| <div id="bodyColumn" > |
| <div class="section"> |
| <h2><a name="Security_Vulnerabilities"></a>Security Vulnerabilities</h2> |
| <p>Please note that binary patches are not produced for individual vulnerabilities. To obtain the binary fix for a particular vulnerability you should upgrade to an Apache Archiva version where that vulnerability has been fixed.</p> |
| <p>For more information about reporting vulnerabilities, see the <a class="externalLink" href="http://www.apache.org/security/"> Apache Security Team</a> page.</p> |
| <p>This is a list of known issues</p> |
| <ul> |
| <li><a href="#CVE-2020-9495:_Apache_Archiva_login_service_is_vulnerable_to_LDAP_injection">CVE-2020-9495: Apache Archiva login service is vulnerable to LDAP injection</a></li> |
| <li><a href="#CVE-2019-0213:_Apache_Archiva_XSS_may_be_stored_in_central_UI_configuration">CVE-2019-0213: Apache Archiva XSS may be stored in central UI configuration</a></li> |
| <li><a href="#CVE-2019-0214:_Apache_Archiva_arbitrary_file_write_and_delete_on_the_server">CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server</a></li> |
| <li><a href="#CVE-2017-5657:_Apache_Archiva_CSRF_vulnerabilities_for_various_REST_endpoints">CVE-2017-5657: Apache Archiva CSRF vulnerabilities for various REST endpoints</a></li> |
| <li><a href="#CVE-2013-2251:_Apache_Archiva_Remote_Command_Execution">CVE-2013-2251: Apache Archiva Remote Command Execution</a></li> |
| <li><a href="#CVE-2013-2187:_Apache_Archiva_Cross-Site_Scripting_vulnerability">CVE-2013-2187: Apache Archiva Cross-Site Scripting vulnerability</a></li> |
| <li><a href="#CVE-2010-1870:_Struts2_remote_commands_execution">CVE-2010-1870: Struts2 remote commands execution</a></li> |
| <li><a href="#CVE-2011-1077:_Multiple_XSS_issues">CVE-2011-1077: Multiple XSS issues</a></li> |
| <li><a href="#CVE-2011-1026:_Multiple_CSRF_issues">CVE-2011-1026: Multiple CSRF issues</a></li> |
| <li><a href="#CVE-2011-0533:_Apache_Archiva_cross-site_scripting_vulnerability">CVE-2011-0533: Apache Archiva cross-site scripting vulnerability</a></li> |
| <li><a href="#CVE-2010-3449:_Apache_Archiva_CSRF_Vulnerability">CVE-2010-3449: Apache Archiva CSRF Vulnerability</a></li></ul> |
| <div class="section"> |
| <h3><a name="CVE-2020-9495:_Apache_Archiva_login_service_is_vulnerable_to_LDAP_injection"></a><a name="CVE-2020-9495">CVE-2020-9495</a>: Apache Archiva login service is vulnerable to LDAP injection</h3> |
| <p>By providing special values to the archiva login form a attacker is able to retrieve user attribute data from the connected LDAP server. With certain characters it is possible to modify the LDAP filter used to query the users on the connected LDAP server. By measuring the response time, arbitrary attribute data can be retrieved from LDAP user objects.</p> |
| <p>Versions Affected:</p> |
| <ul> |
| <li>All versions before 2.2.5</li></ul> |
| <p>Mitigation:</p> |
| <ul> |
| <li>Upgrade to <a href="./download.cgi"> Archiva 2.2.5 or higher</a></li> |
| <li>Make sure, that communication between Archiva server and browser is secure by using TLS and only certain users are assigned to admin role.</li></ul></div> |
| <div class="section"> |
| <h3><a name="CVE-2019-0213:_Apache_Archiva_XSS_may_be_stored_in_central_UI_configuration"></a><a name="CVE-2019-0213">CVE-2019-0213</a>: Apache Archiva XSS may be stored in central UI configuration</h3> |
| <p>It may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised. </p> |
| <p>Versions Affected:</p> |
| <ul> |
| <li>All versions before 2.2.4</li></ul> |
| <p>Mitigation:</p> |
| <ul> |
| <li>Upgrade to <a href="./download.cgi"> Archiva 2.2.4 or higher</a></li> |
| <li>Make sure, that communication between Archiva server and browser is secure by using TLS and only certain users are assigned to admin role.</li></ul></div> |
| <div class="section"> |
| <h3><a name="CVE-2019-0214:_Apache_Archiva_arbitrary_file_write_and_delete_on_the_server"></a><a name="CVE-2019-0214">CVE-2019-0214</a>: Apache Archiva arbitrary file write and delete on the server</h3> |
| <p>It is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.</p> |
| <p>Versions Affected:</p> |
| <ul> |
| <li>All versions before 2.2.4</li></ul> |
| <p>Mitigation:</p> |
| <ul> |
| <li>It is highly recommended to upgrade to <a href="./download.cgi"> Archiva 2.2.4 or higher</a>, where additional validations are implemented to prevent such malicious parameter values.</li> |
| <li>As intermediate action you may reduce the number of users that are allowed to upload to archiva and make sure, that the archiva run user may have only write permission to the directories needed.</li></ul></div> |
| <div class="section"> |
| <h3><a name="CVE-2017-5657:_Apache_Archiva_CSRF_vulnerabilities_for_various_REST_endpoints"></a><a name="CVE-2017-5657">CVE-2017-5657</a>: Apache Archiva CSRF vulnerabilities for various REST endpoints</h3> |
| <p>Several REST service endpoints of Apache Archiva are not protected against CSRF attacks. A malicious site opened in the same browser as the archiva site, may send HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session (e.g. adminstrator rights).</p> |
| <p>Versions Affected:</p> |
| <ul> |
| <li>All versions before 2.2.3</li></ul> |
| <p>Mitigation:</p> |
| <ul> |
| <li>Upgrade to <a href="./download.html"> Archiva 2.2.3 or higher</a>, where additional measures are taken to verify the origin of REST requests.</li></ul></div> |
| <div class="section"> |
| <h3><a name="CVE-2013-2251:_Apache_Archiva_Remote_Command_Execution"></a><a name="CVE-2013-2251">CVE-2013-2251</a>: Apache Archiva Remote Command Execution</h3> |
| <p>Apache Archiva is affected by a vulnerability in the version of the Struts library being used, which allows a malicious user to run code on the server remotely. More details about the vulnerability can be found at <a class="externalLink" href="http://struts.apache.org/release/2.3.x/docs/s2-016.html">http://struts.apache.org/release/2.3.x/docs/s2-016.html</a>.</p> |
| <p>Versions Affected:</p> |
| <ul> |
| <li>Archiva 1.3 to Archiva 1.3.6</li></ul> |
| <ul> |
| <li>The unsupported versions Archiva 1.2 to 1.2.2 are also affected.</li></ul> |
| <p>All users are recommended to upgrade to <a href="./download.cgi"> Archiva 2.0.1 or Archiva 1.3.8</a>, which are not affected by this issue.</p> |
| <p>Archiva 2.0.0 and later is not affected by this issue.</p></div> |
| <div class="section"> |
| <h3><a name="CVE-2013-2187:_Apache_Archiva_Cross-Site_Scripting_vulnerability"></a><a name="CVE-2013-2187">CVE-2013-2187</a>: Apache Archiva Cross-Site Scripting vulnerability</h3> |
| <p>A request that included a specially crafted request parameter could be used to inject arbitrary HTML or Javascript into the Archiva home page.</p> |
| <p>Versions Affected:</p> |
| <ul> |
| <li>Archiva 1.3 to Archiva 1.3.6</li></ul> |
| <ul> |
| <li>The unsupported versions Archiva 1.2 to 1.2.2 are also affected.</li></ul> |
| <p>All users are recommended to upgrade to <a href="./download.cgi"> Archiva 2.0.1 or Archiva 1.3.8</a>, which are not affected by this issue.</p> |
| <p>Archiva 2.0.0 and later is not affected by this issue.</p></div> |
| <div class="section"> |
| <h3><a name="CVE-2010-1870:_Struts2_remote_commands_execution"></a><a name="CVE-2010-1870">CVE-2010-1870</a>: Struts2 remote commands execution</h3> |
| <p>Apache Archiva is affected by a vulnerability in the version of the Struts library being used, which allows a malicious user to run code on the server remotely. More details about the vulnerability can be found at <a class="externalLink" href="http://struts.apache.org/2.2.1/docs/s2-005.html">http://struts.apache.org/2.2.1/docs/s2-005.html</a>.</p> |
| <p>Versions Affected:</p> |
| <ul> |
| <li>Archiva 1.3 to Archiva 1.3.5</li></ul> |
| <ul> |
| <li>The unsupported versions Archiva 1.2 to 1.2.2 are also affected.</li></ul> |
| <p>All users are recommended to upgrade to <a href="./download.cgi"> Archiva 1.3.6</a>, which configures Struts in such a way that it is not affected by this issue.</p> |
| <p>Archiva 1.4-M3 and later is not affected by this issue.</p></div> |
| <div class="section"> |
| <h3><a name="CVE-2011-1077:_Multiple_XSS_issues"></a><a name="CVE-2011-1077">CVE-2011-1077</a>: Multiple XSS issues</h3> |
| <p>Apache Archiva is vulnerable to multiple XSS issues, both stored (persistent) and reflected (non-persistent). Javascript which might contain malicious code can be appended in a request parameter or stored as a value in a submitted form, and get executed.</p> |
| <p>Versions Affected:</p> |
| <ul> |
| <li>Archiva 1.3 to 1.3.4</li> |
| <li>The unsupported versions Archiva 1.0 to 1.2.2 are also affected.</li></ul></div> |
| <div class="section"> |
| <h3><a name="CVE-2011-1026:_Multiple_CSRF_issues"></a><a name="CVE-2011-1026">CVE-2011-1026</a>: Multiple CSRF issues</h3> |
| <p>An attacker can build a simple html page containing a hidden Image tag (eg: <tt><img src=vulnurl width=0 height=0 /</tt>>) and entice the administrator to access the page.</p> |
| <p>Versions Affected:</p> |
| <ul> |
| <li>Archiva 1.3 to 1.3.4</li> |
| <li>The unsupported versions Archiva 1.0 to 1.2.2 are also affected.</li></ul></div> |
| <div class="section"> |
| <h3><a name="CVE-2011-0533:_Apache_Archiva_cross-site_scripting_vulnerability"></a><a name="CVE-2011-0533">CVE-2011-0533</a>: Apache Archiva cross-site scripting vulnerability</h3> |
| <p>A request that included a specially crafted request parameter could be used to inject arbitrary HTML or Javascript into the Archiva user management page. This fix is available in version <a href="./download.html"> 1.3.4</a> of Apache Archiva. All users must upgrade to this version (or higher).</p> |
| <p>Versions Affected:</p> |
| <ul> |
| <li>Archiva 1.3 to 1.3.3</li> |
| <li>The unsupported versions Archiva 1.0 to 1.2.2 are also affected.</li></ul></div> |
| <div class="section"> |
| <h3><a name="CVE-2010-3449:_Apache_Archiva_CSRF_Vulnerability"></a><a name="CVE-2010-3449">CVE-2010-3449</a>: Apache Archiva CSRF Vulnerability</h3> |
| <p>Apache Archiva doesn't check which form sends credentials. An attacker can create a specially crafted page and force archiva administrators to view it and change their credentials. To fix this, a referrer check was added to the security interceptor for all secured actions. A prompt for the administrator's password when changing a user account was also set in place. This fix is available in version <a href="./download.html"> 1.3.2</a> of Apache Archiva. All users must upgrade to this version (or higher).</p> |
| <p>Versions Affected:</p> |
| <ul> |
| <li>Archiva 1.3 to 1.3.1</li> |
| <li>Archiva 1.2 to 1.2.2 (end of life)</li> |
| <li>Archiva 1.1 to 1.1.4 (end of life)</li> |
| <li>Archiva 1.0 to 1.0.3 (end of life)</li></ul></div></div> |
| </div> |
| </div> |
| <hr/> |
| <footer> |
| <div class="container"> |
| <div class="row"> |
| <div class="row pull-left">Apache Archiva, Archiva, Apache, the Apache feather logo, and the Apache Archiva project logos are trademarks of The Apache Software Foundation.</div> |
| <div class="row"> |
| |
| </div> |
| <div class="row"> |
| <p> |
| <a href="https://archiva.apache.org/privacy-policy.html">Privacy Policy</a> |
| </p> |
| </div> |
| </div> |
| <p id="poweredBy" class="pull-right"> <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy"><img class="builtBy" alt="Built by Maven" src="./images/logos/maven-feather.png" /></a> |
| </p> |
| <div id="ohloh" class="pull-right"> |
| <script type="text/javascript" src="https://www.ohloh.net/p/6670/widgets/project_thin_badge.js"></script> |
| </div> |
| </div> |
| </footer> |
| </body> |
| </html> |