Fork me on GitHub

Security Vulnerabilities

Please note that binary patches are not produced for individual vulnerabilities. To obtain the binary fix for a particular vulnerability you should upgrade to an Apache Archiva version where that vulnerability has been fixed.

For more information about reporting vulnerabilities, see the Apache Security Team page.

This is a list of known issues

CVE-2017-5657: Apache Archiva CSRF vulnerabilities for various REST endpoints

Several REST service endpoints of Apache Archiva are not protected against CSRF attacks. A malicious site opened in the same browser as the archiva site, may send HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session (e.g. adminstrator rights).

Versions Affected:

  • All versions before 2.2.3

Mitigation:

CVE-2013-2251: Apache Archiva Remote Command Execution

Apache Archiva is affected by a vulnerability in the version of the Struts library being used, which allows a malicious user to run code on the server remotely. More details about the vulnerability can be found at http://struts.apache.org/release/2.3.x/docs/s2-016.html.

Versions Affected:

  • Archiva 1.3 to Archiva 1.3.6
  • The unsupported versions Archiva 1.2 to 1.2.2 are also affected.

All users are recommended to upgrade to Archiva 2.0.1 or Archiva 1.3.8, which are not affected by this issue.

Archiva 2.0.0 and later is not affected by this issue.

CVE-2013-2187: Apache Archiva Cross-Site Scripting vulnerability

A request that included a specially crafted request parameter could be used to inject arbitrary HTML or Javascript into the Archiva home page.

Versions Affected:

  • Archiva 1.3 to Archiva 1.3.6
  • The unsupported versions Archiva 1.2 to 1.2.2 are also affected.

All users are recommended to upgrade to Archiva 2.0.1 or Archiva 1.3.8, which are not affected by this issue.

Archiva 2.0.0 and later is not affected by this issue.

CVE-2010-1870: Struts2 remote commands execution

Apache Archiva is affected by a vulnerability in the version of the Struts library being used, which allows a malicious user to run code on the server remotely. More details about the vulnerability can be found at http://struts.apache.org/2.2.1/docs/s2-005.html.

Versions Affected:

  • Archiva 1.3 to Archiva 1.3.5
  • The unsupported versions Archiva 1.2 to 1.2.2 are also affected.

All users are recommended to upgrade to Archiva 1.3.6, which configures Struts in such a way that it is not affected by this issue.

Archiva 1.4-M3 and later is not affected by this issue.

CVE-2011-1077: Multiple XSS issues

Apache Archiva is vulnerable to multiple XSS issues, both stored (persistent) and reflected (non-persistent). Javascript which might contain malicious code can be appended in a request parameter or stored as a value in a submitted form, and get executed.

Versions Affected:

  • Archiva 1.3 to 1.3.4
  • The unsupported versions Archiva 1.0 to 1.2.2 are also affected.

CVE-2011-1026: Multiple CSRF issues

An attacker can build a simple html page containing a hidden Image tag (eg: <img src=vulnurl width=0 height=0 />) and entice the administrator to access the page.

Versions Affected:

  • Archiva 1.3 to 1.3.4
  • The unsupported versions Archiva 1.0 to 1.2.2 are also affected.

CVE-2011-0533: Apache Archiva cross-site scripting vulnerability

A request that included a specially crafted request parameter could be used to inject arbitrary HTML or Javascript into the Archiva user management page. This fix is available in version 1.3.4 of Apache Archiva. All users must upgrade to this version (or higher).

Versions Affected:

  • Archiva 1.3 to 1.3.3
  • The unsupported versions Archiva 1.0 to 1.2.2 are also affected.

CVE-2010-3449: Apache Archiva CSRF Vulnerability

Apache Archiva doesn't check which form sends credentials. An attacker can create a specially crafted page and force archiva administrators to view it and change their credentials. To fix this, a referrer check was added to the security interceptor for all secured actions. A prompt for the administrator's password when changing a user account was also set in place. This fix is available in version 1.3.2 of Apache Archiva. All users must upgrade to this version (or higher).

Versions Affected:

  • Archiva 1.3 to 1.3.1
  • Archiva 1.2 to 1.2.2 (end of life)
  • Archiva 1.1 to 1.1.4 (end of life)
  • Archiva 1.0 to 1.0.3 (end of life)