Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2010-3449 — Cross-Site Request Forgery in Mcconnell Redback

CWE-352 — Cross-Site Request Forgery CWE-862 — Missing Authorization5 documents5 sources

Severity

6.8MEDIUMNVD

EPSS

2.4%

top 14.88%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Jesse Mcconnell Redback Apache Archiva

Timeline

PublishedDec 6

Latest updateMay 14

Description

Cross-site request forgery (CSRF) vulnerability in Redback before 1.2.4, as used in Apache Archiva 1.0 through 1.0.3, 1.1 through 1.1.4, 1.2 through 1.2.2, and 1.3 through 1.3.1; and Apache Continuum 1.3.6, 1.4.0, and 1.1 through 1.2.3.1; allows remote attackers to hijack the authentication of administrators for requests that modify credentials.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

▶NVDapache/archiva14 versions+13

▶NVDjesse_mcconnell/redback1.2.3+10

Patches

Patch: svn.apache.org ↗Patch: svn.apache.org ↗Patch: svn.apache.org ↗

🔴Vulnerability Details

GHSA

GHSA-c9q3-7wj8-34wx: Cross-site request forgery (CSRF) vulnerability in Redback before 1↗2022-05-14

▶

GHSA

Apache Archiva does not require entry of the administrator's password at the time of modifying a user account↗2022-05-14

▶

CVEList

CVE-2010-3449: Cross-site request forgery (CSRF) vulnerability in Redback before 1↗2010-12-06

▶

💥Exploits & PoCs

Exploit-DB

Apache Archiva 1.0 < 1.3.1 - Cross-Site Request Forgery↗2010-12-09

▶