Apache Software Foundation Apache Archiva vulnerabilities
8 known vulnerabilities affecting apache_software_foundation/apache_archiva.
Total CVEs
8
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH4MEDIUM4
Vulnerabilities
Page 1 of 1
CVE-2024-27138HIGHCVSS 7.5≥ 2.0.0, ≤ *2024-03-01
CVE-2024-27138 [HIGH] CWE-863 CVE-2024-27138: ** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Archiva.
Apache Arc
** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Archiva.
Apache Archiva has a setting to disable user registration, however this restriction can be bypassed. As Apache Archiva has been retired, we do not expect to release a version of Apache Archiva that fixes this issue. You are recommended to look into migrating to a
cvelistv5nvd
CVE-2024-27139HIGHCVSS 7.5≥ 2.0.0, ≤ *2024-03-01
CVE-2024-27139 [HIGH] CWE-863 CVE-2024-27139: ** UNSUPPORTED WHEN ASSIGNED **
Incorrect Authorization vulnerability in Apache Archiva: a vulnerab
** UNSUPPORTED WHEN ASSIGNED **
Incorrect Authorization vulnerability in Apache Archiva: a vulnerability in Apache Archiva allows an unauthenticated attacker to modify account data, potentially leading to account takeover.
This issue affects Apache Archiva: from 2.0.0.
As this project is retired, we do not plan to release a version that fixes this
cvelistv5nvd
CVE-2024-27140MEDIUMCVSS 5.4≥ 2.0.0, ≤ *2024-03-01
CVE-2024-27140 [MEDIUM] CWE-79 CVE-2024-27140: ** UNSUPPORTED WHEN ASSIGNED **
Improper Neutralization of Input During Web Page Generation ('Cross
** UNSUPPORTED WHEN ASSIGNED **
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Archiva.
This issue affects Apache Archiva: from 2.0.0.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access t
cvelistv5nvd
CVE-2023-28158MEDIUMCVSS 5.4≥ 2.0, < 2.2.102023-03-29
CVE-2023-28158 [MEDIUM] CWE-79 CVE-2023-28158: Privilege escalation via stored XSS using the file upload service to upload malicious content.
The i
Privilege escalation via stored XSS using the file upload service to upload malicious content.
The issue can be exploited only by authenticated users which can create directory name to inject some XSS content and gain some privileges such admin user.
cvelistv5nvd
CVE-2022-40308HIGHCVSS 7.5≥ Apache Archiva, ≤ 2.2.82022-11-15
CVE-2022-40308 [HIGH] CVE-2022-40308: If anonymous read enabled, it's possible to read the database file directly without logging in.
If anonymous read enabled, it's possible to read the database file directly without logging in.
cvelistv5nvd
CVE-2022-40309MEDIUMCVSS 4.3≥ unspecified, ≤ 2.2.82022-11-15
CVE-2022-40309 [MEDIUM] CVE-2022-40309: Users with write permissions to a repository can delete arbitrary directories.
Users with write permissions to a repository can delete arbitrary directories.
cvelistv5nvd
CVE-2022-29405MEDIUMCVSS 6.5≥ 2.2, ≤ 2.2.72022-05-25
CVE-2022-29405 [MEDIUM] CVE-2022-29405: In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.
In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8
cvelistv5nvd
CVE-2017-5657HIGHCVSS 8.0v1.xv2.0.0, 2.0.1+2 more2017-05-22
CVE-2017-5657 [HIGH] CWE-352 CVE-2017-5657: Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forger
Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forgery (CSRF) attacks. A malicious site opened in the same browser as the archiva site, may send an HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session (e.g. administrator rights).
cvelistv5nvd