Cross-site Request Forgery (CSRF) Affecting org.apache.archiva:archiva package, versions [,2.2.3)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.1% (43rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Request Forgery (CSRF) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGAPACHEARCHIVA-31506
  • published14 Sept 2017
  • disclosed18 May 2017
  • creditUnknown

Introduced: 18 May 2017

CVE-2017-5657  (opens in a new tab)
CWE-352  (opens in a new tab)

How to fix?

Upgrade org.apache.archiva:archiva to version 2.2.3 or higher.

Overview

Affected versions of org.apache.archiva:archiva are vulnerable to Cross-site Request Forgery (CSRF). Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forgery (CSRF) attacks. A malicious site opened in the same browser as the archiva site, may send an HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session (e.g. administrator rights).

CVSS Scores

version 3.1