Cross-site Request Forgery (CSRF) Affecting org.apache.archiva:archiva package, versions [,2.2.3)

Attack Complexity

Low
User Interaction

Required
Confidentiality

High
Integrity

High
Availability

High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

SNYK-JAVA-ORGAPACHEARCHIVA-31506
published

14 Sep 2017
disclosed

18 May 2017
credit

Unknown

Report a new vulnerability Found a mistake?

Introduced: 18 May 2017

CVE-2017-5657 Open this link in a new tab CWE-352 Open this link in a new tab

How to fix?

Upgrade org.apache.archiva:archiva to version 2.2.3 or higher.

Overview

Affected versions of org.apache.archiva:archiva are vulnerable to Cross-site Request Forgery (CSRF). Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forgery (CSRF) attacks. A malicious site opened in the same browser as the archiva site, may send an HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session (e.g. administrator rights).

Cross-site Request Forgery (CSRF) Affecting org.apache.archiva:archiva package, versions [,2.2.3)

Attack Complexity

User Interaction

Confidentiality

Integrity

Availability

snyk-id

published

disclosed

credit

Introduced: 18 May 2017

How to fix?

Overview

References