[MAVEN:GHSA-HF4P-MHC8-X2GP] Apache Archiva vulnerable to Cross Site Request Forgery

Severity High

Affected Packages 1

Fixed Packages 1

CVEs 1

Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forgery (CSRF) attacks. A malicious site opened in the same browser as the archiva site, may send an HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session (e.g. administrator rights).

Package	Affected Version
pkg:maven/org.apache.archiva/archiva	< 2.2.3

Package	Fixed Version
pkg:maven/org.apache.archiva/archiva	= 2.2.3

ID: MAVEN:GHSA-HF4P-MHC8-X2GP
Severity: high
URL: https://github.com/advisories/GHSA-hf4p-mhc8-x2gp
Published: 2022-05-14T01:09:51
(2 years ago)
Modified: 2023-02-02T05:03:11
(19 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2017-5657
			https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
			http://archiva.apache.org/security.html#CVE-2017-5657
			http://www.securityfocus.com/bid/98570
			https://web.archive.org/web/20211206215453/https://securitytracker.com/id/1038528
			https://github.com/advisories/GHSA-hf4p-mhc8-x2gp

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.apache.archiva/archiva	org.apache.archiva	archiva	< 2.2.3
Fixed	pkg:maven/org.apache.archiva/archiva	org.apache.archiva	archiva	= 2.2.3

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date