This project has retired. For details please refer to its Attic page.
Archiva – Security Vulnerabilities Fork me on GitHub

Security Vulnerabilities

Please note that binary patches are not produced for individual vulnerabilities. To obtain the binary fix for a particular vulnerability you should upgrade to an Apache Archiva version where that vulnerability has been fixed.

For more information about reporting vulnerabilities, see the Apache Security Team page.

This is a list of known issues

CVE-2023-28158: Privilege escalation via stored XSS

Privilege escalation via stored XSS using the file upload service to upload malicious content. The issue can be exploited only by authenticated users which can create directory name to inject some XSS content and gain some privileges such admin user.

CVE-2022-29405: Apache Archiva Arbitrary user password reset vulnerability

CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation

This may be used by attackers, if users changed the default Archiva log4j2.xml configuration.

CVE-2021-45046: Apache log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations

This may be used by attackers, if users changed the default Archiva log4j2.xml configuration.

CVE-2021-44228: Apache log4j2 is vulnerable to remote code execution

As mentioned in this CVE Apache log4j2 libraries are vulnerable to remote code execution. Archiva is using log4j2 libraries and is therefore vulnerable to the same scenarios mentioned in this CVE. Attackers may be able to inject statements into the HTTP requests which may be interpreted by the logging library and lead to the download of arbitrary code from remote servers.

CVE-2020-9495: Apache Archiva login service is vulnerable to LDAP injection

By providing special values to the archiva login form a attacker is able to retrieve user attribute data from the connected LDAP server. With certain characters it is possible to modify the LDAP filter used to query the users on the connected LDAP server. By measuring the response time, arbitrary attribute data can be retrieved from LDAP user objects.

Versions Affected:

  • All versions before 2.2.5

Mitigation:

CVE-2019-0213: Apache Archiva XSS may be stored in central UI configuration

It may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised.

Versions Affected:

  • All versions before 2.2.4

Mitigation:

  • Upgrade to Archiva 2.2.4 or higher
  • Make sure, that communication between Archiva server and browser is secure by using TLS and only certain users are assigned to admin role.

CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server

It is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.

Versions Affected:

  • All versions before 2.2.4

Mitigation:

  • It is highly recommended to upgrade to Archiva 2.2.4 or higher, where additional validations are implemented to prevent such malicious parameter values.
  • As intermediate action you may reduce the number of users that are allowed to upload to archiva and make sure, that the archiva run user may have only write permission to the directories needed.

CVE-2017-5657: Apache Archiva CSRF vulnerabilities for various REST endpoints

Several REST service endpoints of Apache Archiva are not protected against CSRF attacks. A malicious site opened in the same browser as the archiva site, may send HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session (e.g. adminstrator rights).

Versions Affected:

  • All versions before 2.2.3

Mitigation:

CVE-2013-2251: Apache Archiva Remote Command Execution

Apache Archiva is affected by a vulnerability in the version of the Struts library being used, which allows a malicious user to run code on the server remotely. More details about the vulnerability can be found at http://struts.apache.org/release/2.3.x/docs/s2-016.html.

Versions Affected:

  • Archiva 1.3 to Archiva 1.3.6
  • The unsupported versions Archiva 1.2 to 1.2.2 are also affected.

All users are recommended to upgrade to Archiva 2.0.1 or Archiva 1.3.8, which are not affected by this issue.

Archiva 2.0.0 and later is not affected by this issue.

CVE-2013-2187: Apache Archiva Cross-Site Scripting vulnerability

A request that included a specially crafted request parameter could be used to inject arbitrary HTML or Javascript into the Archiva home page.

Versions Affected:

  • Archiva 1.3 to Archiva 1.3.6
  • The unsupported versions Archiva 1.2 to 1.2.2 are also affected.

All users are recommended to upgrade to Archiva 2.0.1 or Archiva 1.3.8, which are not affected by this issue.

Archiva 2.0.0 and later is not affected by this issue.

CVE-2010-1870: Struts2 remote commands execution

Apache Archiva is affected by a vulnerability in the version of the Struts library being used, which allows a malicious user to run code on the server remotely. More details about the vulnerability can be found at http://struts.apache.org/2.2.1/docs/s2-005.html.

Versions Affected:

  • Archiva 1.3 to Archiva 1.3.5
  • The unsupported versions Archiva 1.2 to 1.2.2 are also affected.

All users are recommended to upgrade to Archiva 1.3.6, which configures Struts in such a way that it is not affected by this issue.

Archiva 1.4-M3 and later is not affected by this issue.

CVE-2011-1077: Multiple XSS issues

Apache Archiva is vulnerable to multiple XSS issues, both stored (persistent) and reflected (non-persistent). Javascript which might contain malicious code can be appended in a request parameter or stored as a value in a submitted form, and get executed.

Versions Affected:

  • Archiva 1.3 to 1.3.4
  • The unsupported versions Archiva 1.0 to 1.2.2 are also affected.

CVE-2011-1026: Multiple CSRF issues

An attacker can build a simple html page containing a hidden Image tag (eg: <img src=vulnurl width=0 height=0 />) and entice the administrator to access the page.

Versions Affected:

  • Archiva 1.3 to 1.3.4
  • The unsupported versions Archiva 1.0 to 1.2.2 are also affected.

CVE-2011-0533: Apache Archiva cross-site scripting vulnerability

A request that included a specially crafted request parameter could be used to inject arbitrary HTML or Javascript into the Archiva user management page. This fix is available in version 1.3.4 of Apache Archiva. All users must upgrade to this version (or higher).

Versions Affected:

  • Archiva 1.3 to 1.3.3
  • The unsupported versions Archiva 1.0 to 1.2.2 are also affected.

CVE-2010-3449: Apache Archiva CSRF Vulnerability

Apache Archiva doesn't check which form sends credentials. An attacker can create a specially crafted page and force archiva administrators to view it and change their credentials. To fix this, a referrer check was added to the security interceptor for all secured actions. A prompt for the administrator's password when changing a user account was also set in place. This fix is available in version 1.3.2 of Apache Archiva. All users must upgrade to this version (or higher).

Versions Affected:

  • Archiva 1.3 to 1.3.1
  • Archiva 1.2 to 1.2.2 (end of life)
  • Archiva 1.1 to 1.1.4 (end of life)
  • Archiva 1.0 to 1.0.3 (end of life)