archiva-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Deng Ching <>
Subject [CVE-2010-3449] Apache Archiva CSRF Vulnerability
Date Mon, 29 Nov 2010 23:13:32 GMT
CVE-2010-3449: Apache Archiva CSRF Vulnerability

Severity: Important

The Apache Software Foundation

Versions Affected:
Archiva 1.0 to 1.0.3 (end of life)
Archiva 1.1 to 1.1.4 (end of life)
Archiva 1.2 to 1.2.2 (end of life)
Archiva 1.3 to 1.3.1

Apache Archiva doesn't check which form sends credentials. An attacker
can create a specially crafted page and force archiva administrators
to view it and change their credentials. To fix this, a referrer check
was added to the security interceptor for all secured actions. A
prompt for the administrator's password when changing a user account
was also set in place.

All users should upgrade to 1.3.2 (

This issue was discovered by Anatolia Security Research Group


The Apache Archiva Team

View raw message