CVE-2019-0213: XSS
First published: Tue Apr 30 2019(Updated: )
In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Archiva | <2.2.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://archiva.apache.org/security.html#CVE-2019-0213
- http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html
- http://www.openwall.com/lists/oss-security/2019/04/30/7
- http://www.securityfocus.com/bid/108123
- https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3@%3Cusers.archiva.apache.org%3E
- https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb@%3Cissues.archiva.apache.org%3E
- https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97@%3Cusers.maven.apache.org%3E
- https://seclists.org/bugtraq/2019/Apr/47
- https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97%40%3Cusers.maven.apache.org%3E
- https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3%40%3Cusers.archiva.apache.org%3E
- https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E
- https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d%40%3Cannounce.apache.org%3E
Frequently Asked Questions
What is the severity of CVE-2019-0213?
CVE-2019-0213 is considered to have a minor risk level as it can only be exploited by users with admin roles.
How do I fix CVE-2019-0213?
To fix CVE-2019-0213, upgrade Apache Archiva to version 2.2.4 or later.
Who is affected by CVE-2019-0213?
CVE-2019-0213 affects users of Apache Archiva prior to version 2.2.4.
What type of vulnerability is CVE-2019-0213?
CVE-2019-0213 is a cross-site scripting (XSS) vulnerability.
What can an attacker do with CVE-2019-0213?
An attacker with admin privileges could potentially store malicious XSS code in the configuration entries of Apache Archiva.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/references
- agent/last-modified-date
- agent/tags
- agent/author
- agent/event
- agent/description
- agent/first-publish-date
- agent/source
- vendor/apache
- canonical/apache archiva