CVE-2010-3449
published 2010-12-06CVE-2010-3449: Cross-site request forgery (CSRF) vulnerability in Redback before 1.2.4, as used in Apache Archiva 1.0 through 1.0.3, 1.1 through 1.1.4, 1.2 through 1.2.2, and…
PriorityP338medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
4.84%
90.9th percentile
Cross-site request forgery (CSRF) vulnerability in Redback before 1.2.4, as used in Apache Archiva 1.0 through 1.0.3, 1.1 through 1.1.4, 1.2 through 1.2.2, and 1.3 through 1.3.1; and Apache Continuum 1.3.6, 1.4.0, and 1.1 through 1.2.3.1; allows remote attackers to hijack the authentication of administrators for requests that modify credentials.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | archiva | — | — |
| apache | archiva | — | — |
| apache | archiva | — | — |
| apache | archiva | — | — |
| apache | archiva | — | — |
| apache | archiva | — | — |
| apache | archiva | — | — |
| apache | archiva | — | — |
| apache | archiva | — | — |
| apache | archiva | — | — |
| apache | archiva | — | — |
| apache | archiva | — | — |
| apache | archiva | — | — |
| apache | archiva | — | — |
| jesse_mcconnell | redback | <= 1.2.3 | — |
| jesse_mcconnell | redback | — | — |
| jesse_mcconnell | redback | — | — |
| jesse_mcconnell | redback | — | — |
| jesse_mcconnell | redback | — | — |
| jesse_mcconnell | redback | — | — |
| jesse_mcconnell | redback | — | — |
| jesse_mcconnell | redback | — | — |
| jesse_mcconnell | redback | — | — |
| jesse_mcconnell | redback | — | — |
| jesse_mcconnell | redback | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa6.8MEDIUM
osv6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Apache Archiva does not require entry of the administrator's password at the time of modifying a user account
osv·2022-05-14·CVSS 6.8
CVE-2010-4408 [MEDIUM] Apache Archiva does not require entry of the administrator's password at the time of modifying a user account
Apache Archiva does not require entry of the administrator's password at the time of modifying a user account
Apache Archiva 1.0 through 1.0.3, 1.1 through 1.1.4, 1.2 through 1.2.2, and 1.3 through 1.3.1 does not require entry of the administrator's password at the time of modifying a user account, which makes it easier for context-dependent attackers to gain privileges by leveraging a (1) unattended workstation or (2) cross-site request forgery (CSRF) vulnerability, a related issue to CVE-2010-3449.
GHSA
GHSA-c9q3-7wj8-34wx: Cross-site request forgery (CSRF) vulnerability in Redback before 1
ghsa_unreviewed·2022-05-14
CVE-2010-3449 [MEDIUM] CWE-352 GHSA-c9q3-7wj8-34wx: Cross-site request forgery (CSRF) vulnerability in Redback before 1
Cross-site request forgery (CSRF) vulnerability in Redback before 1.2.4, as used in Apache Archiva 1.0 through 1.0.3, 1.1 through 1.1.4, 1.2 through 1.2.2, and 1.3 through 1.3.1; and Apache Continuum 1.3.6, 1.4.0, and 1.1 through 1.2.3.1; allows remote attackers to hijack the authentication of administrators for requests that modify credentials.
GHSA
Apache Archiva does not require entry of the administrator's password at the time of modifying a user account
ghsa·2022-05-14·CVSS 6.8
CVE-2010-4408 [MEDIUM] CWE-862 Apache Archiva does not require entry of the administrator's password at the time of modifying a user account
Apache Archiva does not require entry of the administrator's password at the time of modifying a user account
Apache Archiva 1.0 through 1.0.3, 1.1 through 1.1.4, 1.2 through 1.2.2, and 1.3 through 1.3.1 does not require entry of the administrator's password at the time of modifying a user account, which makes it easier for context-dependent attackers to gain privileges by leveraging a (1) unattended workstation or (2) cross-site request forgery (CSRF) vulnerability, a related issue to CVE-2010-3449.
No detection rules found.
No writeups or analysis indexed.
http://archiva.apache.org/security.htmlhttp://continuum.apache.org/security.htmlhttp://jira.codehaus.org/browse/MRM-1438http://mail-archives.apache.org/mod_mbox/archiva-users/201011.mbox/ajax/%3CAANLkTimXejHAuXdoUKLN=GkNty1_XnRCbv0YA0T2cS_2%40mail.gmail.com%3Ehttp://mail-archives.apache.org/mod_mbox/continuum-users/201102.mbox/%3C032C189E-D821-4833-A8F2-F72365147695%40apache.org%3Ehttp://seclists.org/fulldisclosure/2011/Feb/238http://secunia.com/advisories/42376http://secunia.com/advisories/43261http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml?r1=1038518&r2=1038517&pathrev=1038518http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/pom.xml?r1=1038518&r2=1038517&pathrev=1038518http://svn.apache.org/viewvc?view=revision&revision=1038518http://svn.apache.org/viewvc?view=revision&revision=1066010http://www.osvdb.org/69520http://www.securityfocus.com/archive/1/514937/100/0/threadedhttp://www.securityfocus.com/archive/1/516341/100/0/threadedhttp://www.securityfocus.com/bid/45095http://www.securitytracker.com/id?1025066http://www.vupen.com/english/advisories/2010/3098http://www.vupen.com/english/advisories/2011/0373http://archiva.apache.org/security.htmlhttp://continuum.apache.org/security.htmlhttp://jira.codehaus.org/browse/MRM-1438http://mail-archives.apache.org/mod_mbox/archiva-users/201011.mbox/ajax/%3CAANLkTimXejHAuXdoUKLN=GkNty1_XnRCbv0YA0T2cS_2%40mail.gmail.com%3Ehttp://mail-archives.apache.org/mod_mbox/continuum-users/201102.mbox/%3C032C189E-D821-4833-A8F2-F72365147695%40apache.org%3Ehttp://seclists.org/fulldisclosure/2011/Feb/238http://secunia.com/advisories/42376http://secunia.com/advisories/43261http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml?r1=1038518&r2=1038517&pathrev=1038518http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/pom.xml?r1=1038518&r2=1038517&pathrev=1038518http://svn.apache.org/viewvc?view=revision&revision=1038518http://svn.apache.org/viewvc?view=revision&revision=1066010http://www.osvdb.org/69520http://www.securityfocus.com/archive/1/514937/100/0/threadedhttp://www.securityfocus.com/archive/1/516341/100/0/threadedhttp://www.securityfocus.com/bid/45095http://www.securitytracker.com/id?1025066http://www.vupen.com/english/advisories/2010/3098http://www.vupen.com/english/advisories/2011/0373
2010-12-06
Published