CVE-2022-29405

CWE-732Incorrect Permission Assignment4 documents4 sources
Severity
6.5MEDIUM
EPSS
1.3%
top 20.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache ArchivaApache Software Foundation Apache Archiva
Timeline
PublishedMay 25
Latest updateMay 26

Description

In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

NVDapache/archiva< 2.2.8

🔴Vulnerability Details

3
GHSA
Missing Authorization in Apache Archiva2022-05-26
OSV
Missing Authorization in Apache Archiva2022-05-26
CVEList
Apache Archiva Arbitrary user password reset vulnerability2022-05-25
CVE-2022-29405 (MEDIUM CVSS 6.5) | In Apache Archiva | cvebase.io