Archiva Apache Archiva

stack.watch can notify you when security vulnerabilities are reported in Apache Archiva. You can add multiple products that you use with Archiva to create your own personal software stack watcher.

By the Year

In 2020 there have been 1 vulnerability in Apache Archiva with an average score of 5.3 out of ten. Last year Archiva had 2 security vulnerabilities published. Right now, Archiva is on track to have less security vulerabilities in 2020 than it did last year. Last year, the average CVE base score was greater by 1.20

Year Vulnerabilities Average Score
2020 1 5.30
2019 2 6.50
2018 0 0.00

It may take a day or so for new Archiva vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest Apache Archiva Security Vulnerabilities

Apache Archiva login service before 2.2.5 is vulnerable to LDAP injection

CVE-2020-9495 5.3 - Medium - June 19, 2020

Apache Archiva login service before 2.2.5 is vulnerable to LDAP injection. A attacker is able to retrieve user attribute data from the connected LDAP server by providing special values to the login form. With certain characters it is possible to modify the LDAP filter used to query the LDAP users. By measuring the response time for the login request, arbitrary attribute data can be retrieved from LDAP user objects.

CVE-2020-9495 can be explotited with network access, and does not require authorization privledges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Downstream Injection

In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e

CVE-2019-0213 6.5 - Medium - April 30, 2019

In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised.

CVE-2019-0213 can be explotited with network access, and requires small amount of user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

Improper Input Validation

In Apache Archiva 2.0.0 - 2.2.3

CVE-2019-0214 6.5 - Medium - April 30, 2019

In Apache Archiva 2.0.0 - 2.2.3, it is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.

CVE-2019-0214 is exploitable with network access, and requires small amount of user privledges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

Improper Input Validation