CVE-2019-0214
First published: Tue Apr 30 2019(Updated: )
In Apache Archiva 2.0.0 - 2.2.3, it is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Archiva | >=1.2<=1.3.9 | |
| Apache Archiva | >=2.0.0<=2.2.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://archiva.apache.org/security.html#CVE-2019-0214
- http://packetstormsecurity.com/files/152684/Apache-Archiva-2.2.3-File-Write-Delete.html
- http://www.openwall.com/lists/oss-security/2019/04/30/8
- http://www.securityfocus.com/bid/108124
- https://lists.apache.org/thread.html/18b670afc2f83034f47ebeb2f797c350fe60f1f2b33c95b95f467ef8@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/239349b6dd8f66cf87a70c287b03af451dea158b776d3dfc550b4f0e@%3Cusers.maven.apache.org%3E
- https://lists.apache.org/thread.html/5851cb0214f22ba681fb445870eeb6b01afd1fb614e45a22978d7dda@%3Cusers.archiva.apache.org%3E
- https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb@%3Cissues.archiva.apache.org%3E
- https://seclists.org/bugtraq/2019/Apr/48
- https://lists.apache.org/thread.html/239349b6dd8f66cf87a70c287b03af451dea158b776d3dfc550b4f0e%40%3Cusers.maven.apache.org%3E
- https://lists.apache.org/thread.html/5851cb0214f22ba681fb445870eeb6b01afd1fb614e45a22978d7dda%40%3Cusers.archiva.apache.org%3E
- https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E
- https://lists.apache.org/thread.html/18b670afc2f83034f47ebeb2f797c350fe60f1f2b33c95b95f467ef8%40%3Cannounce.apache.org%3E
Frequently Asked Questions
What is Apache Archiva?
Apache Archiva is a repository manager for Maven artifacts.
What is the vulnerability ID for Apache Archiva?
The vulnerability ID for Apache Archiva is CVE-2019-0214.
What is the severity of CVE-2019-0214?
The severity of CVE-2019-0214 is medium with a CVSS score of 6.5.
How does CVE-2019-0214 affect Apache Archiva?
CVE-2019-0214 allows attackers to write files to the Archiva server at arbitrary locations and overwrite existing files.
How can I fix CVE-2019-0214?
To fix CVE-2019-0214, it is recommended to upgrade to Apache Archiva version 2.2.4 or later, which addresses the vulnerability.
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/last-modified-date
- agent/softwarecombine
- agent/author
- agent/event
- agent/description
- agent/first-publish-date
- agent/tags
- agent/source
- vendor/apache
- canonical/apache archiva
- version/apache archiva/1.2
- version/apache archiva/1.3.9
- version/apache archiva/2.0.0
- version/apache archiva/2.2.3