Apache Software Foundation Archiva 2.2.4

CPE Details

Apache Software Foundation Archiva 2.2.4
apache
archiva
2.2.4
2019-05-01
13h30 +00:00
2019-05-01
13h30 +00:00
CPE NVD
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:apache:archiva:2.2.4:*:*:*:*:*:*:*

Informations

Vendor

apache

Product

archiva

Version

2.2.4

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2024-27138 2024-03-01 15h41 +00:00 ** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Archiva. Apache Archiva has a setting to disable user registration, however this restriction can be bypassed. As Apache Archiva has been retired, we do not expect to release a version of Apache Archiva that fixes this issue. You are recommended to look into migrating to a different solution, or isolate your instance from any untrusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
7.5
High
CVE-2024-27139 2024-03-01 15h40 +00:00 ** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Archiva: a vulnerability in Apache Archiva allows an unauthenticated attacker to modify account data, potentially leading to account takeover. This issue affects Apache Archiva: from 2.0.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
7.5
High
CVE-2024-27140 2024-03-01 15h40 +00:00 ** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Archiva. This issue affects Apache Archiva: from 2.0.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. Alternatively, you could configure a HTTP proxy in front of your Archiva instance to only forward requests that do not have malicious characters in the URL. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
5.4
Medium
CVE-2023-28158 2023-03-29 12h21 +00:00 Privilege escalation via stored XSS using the file upload service to upload malicious content. The issue can be exploited only by authenticated users which can create directory name to inject some XSS content and gain some privileges such admin user.
6.5
Medium
CVE-2022-40308 2022-11-15 00h00 +00:00 If anonymous read enabled, it's possible to read the database file directly without logging in.
7.5
High
CVE-2022-40309 2022-11-15 00h00 +00:00 Users with write permissions to a repository can delete arbitrary directories.
4.3
Medium
CVE-2022-29405 2022-05-25 05h15 +00:00 In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8
6.5
Medium
CVE-2020-9495 2020-06-19 16h59 +00:00 Apache Archiva login service before 2.2.5 is vulnerable to LDAP injection. A attacker is able to retrieve user attribute data from the connected LDAP server by providing special values to the login form. With certain characters it is possible to modify the LDAP filter used to query the LDAP users. By measuring the response time for the login request, arbitrary attribute data can be retrieved from LDAP user objects.
5.3
Medium
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.