cvelistv5 - cve-2019-0213

CVE-2019-0213 (GCVE-0-2019-0213)

Vulnerability from cvelistv5 – Published: 2019-04-30 21:35 – Updated: 2024-08-04 17:44

Summary

In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised.

Severity ?

No CVSS data available.

CWE

Stored XSS

Assigner

apache

References

URL

Tags

	https://seclists.org/bugtraq/2019/Apr/47	mailing-listx_refsource_BUGTRAQ
	https://lists.apache.org/thread.html/c358754a3547…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/0397ddbd17b5…	mailing-listx_refsource_MLIST
	http://www.openwall.com/lists/oss-security/2019/04/30/7	mailing-listx_refsource_MLIST
	http://packetstormsecurity.com/files/152681/Apach…	x_refsource_MISC
	http://archiva.apache.org/security.html#CVE-2019-0213	x_refsource_MISC
	https://lists.apache.org/thread.html/ada0052409d8…	mailing-listx_refsource_MLIST
	http://www.securityfocus.com/bid/108123	vdb-entryx_refsource_BID
	https://lists.apache.org/thread.html/7bcea134c3d6…	mailing-listx_refsource_MLIST

Impacted products

	Vendor	Product	Version
	Apache	Apache Archiva	Affected: All versions prior to version 2.2.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T17:44:14.810Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Apr/47"
          },
          {
            "name": "[maven-users] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97%40%3Cusers.maven.apache.org%3E"
          },
          {
            "name": "[archiva-users] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3%40%3Cusers.archiva.apache.org%3E"
          },
          {
            "name": "[oss-security] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2019/04/30/7"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://archiva.apache.org/security.html#CVE-2019-0213"
          },
          {
            "name": "[archiva-issues] 20190501 [jira] [Created] (MRM-1987) Port security fixes for 2.2.4 to 3.0.0",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E"
          },
          {
            "name": "108123",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/108123"
          },
          {
            "name": "[announce] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d%40%3Cannounce.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Archiva",
          "vendor": "Apache",
          "versions": [
            {
              "status": "affected",
              "version": "All versions prior to version 2.2.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Stored XSS",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-05-06T19:58:29",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "name": "20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Apr/47"
        },
        {
          "name": "[maven-users] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97%40%3Cusers.maven.apache.org%3E"
        },
        {
          "name": "[archiva-users] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3%40%3Cusers.archiva.apache.org%3E"
        },
        {
          "name": "[oss-security] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2019/04/30/7"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://archiva.apache.org/security.html#CVE-2019-0213"
        },
        {
          "name": "[archiva-issues] 20190501 [jira] [Created] (MRM-1987) Port security fixes for 2.2.4 to 3.0.0",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E"
        },
        {
          "name": "108123",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/108123"
        },
        {
          "name": "[announce] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d%40%3Cannounce.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2019-0213",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Archiva",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions prior to version 2.2.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Stored XSS"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Apr/47"
            },
            {
              "name": "[maven-users] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97@%3Cusers.maven.apache.org%3E"
            },
            {
              "name": "[archiva-users] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3@%3Cusers.archiva.apache.org%3E"
            },
            {
              "name": "[oss-security] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2019/04/30/7"
            },
            {
              "name": "http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html"
            },
            {
              "name": "http://archiva.apache.org/security.html#CVE-2019-0213",
              "refsource": "MISC",
              "url": "http://archiva.apache.org/security.html#CVE-2019-0213"
            },
            {
              "name": "[archiva-issues] 20190501 [jira] [Created] (MRM-1987) Port security fixes for 2.2.4 to 3.0.0",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb@%3Cissues.archiva.apache.org%3E"
            },
            {
              "name": "108123",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/108123"
            },
            {
              "name": "[announce] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d@%3Cannounce.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2019-0213",
    "datePublished": "2019-04-30T21:35:47",
    "dateReserved": "2018-11-14T00:00:00",
    "dateUpdated": "2024-08-04T17:44:14.810Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:archiva:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.2.4\", \"matchCriteriaId\": \"6AB5FF1B-F9F2-458C-BFE7-BA144AE1CAF2\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised.\"}, {\"lang\": \"es\", \"value\": \"En Apache Archiva anterior a versi\\u00f3n 2.2.4, puede ser posible almacenar c\\u00f3digo XSS malicioso en entradas de configuraci\\u00f3n central, es decir, la URL logo. La vulnerabilidad es considerada un riesgo menor, ya que solo los usuarios con rol de administrador pueden cambiar la configuraci\\u00f3n, o la comunicaci\\u00f3n entre el navegador y el servidor Archiva debe verse comprometida.\"}]",
      "id": "CVE-2019-0213",
      "lastModified": "2024-11-21T04:16:30.047",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:N/I:P/A:P\", \"baseScore\": 5.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2019-04-30T22:29:00.793",
      "references": "[{\"url\": \"http://archiva.apache.org/security.html#CVE-2019-0213\", \"source\": \"security@apache.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html\", \"source\": \"security@apache.org\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2019/04/30/7\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/108123\", \"source\": \"security@apache.org\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3%40%3Cusers.archiva.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d%40%3Cannounce.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97%40%3Cusers.maven.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://seclists.org/bugtraq/2019/Apr/47\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://archiva.apache.org/security.html#CVE-2019-0213\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2019/04/30/7\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/108123\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3%40%3Cusers.archiva.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d%40%3Cannounce.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97%40%3Cusers.maven.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://seclists.org/bugtraq/2019/Apr/47\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-0213\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2019-04-30T22:29:00.793\",\"lastModified\":\"2024-11-21T04:16:30.047\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised.\"},{\"lang\":\"es\",\"value\":\"En Apache Archiva anterior a versi\u00f3n 2.2.4, puede ser posible almacenar c\u00f3digo XSS malicioso en entradas de configuraci\u00f3n central, es decir, la URL logo. La vulnerabilidad es considerada un riesgo menor, ya que solo los usuarios con rol de administrador pueden cambiar la configuraci\u00f3n, o la comunicaci\u00f3n entre el navegador y el servidor Archiva debe verse comprometida.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:N/I:P/A:P\",\"baseScore\":5.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:archiva:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.2.4\",\"matchCriteriaId\":\"6AB5FF1B-F9F2-458C-BFE7-BA144AE1CAF2\"}]}]}],\"references\":[{\"url\":\"http://archiva.apache.org/security.html#CVE-2019-0213\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2019/04/30/7\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/108123\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3%40%3Cusers.archiva.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d%40%3Cannounce.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97%40%3Cusers.maven.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://seclists.org/bugtraq/2019/Apr/47\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://archiva.apache.org/security.html#CVE-2019-0213\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2019/04/30/7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/108123\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3%40%3Cusers.archiva.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d%40%3Cannounce.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97%40%3Cusers.maven.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://seclists.org/bugtraq/2019/Apr/47\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}"
  }
}

GSD-2019-0213

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2019-0213

Aliases

CVE-2019-0213

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-0213",
    "description": "In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised.",
    "id": "GSD-2019-0213"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-0213"
      ],
      "details": "In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised.",
      "id": "GSD-2019-0213",
      "modified": "2023-12-13T01:23:39.254877Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2019-0213",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache Archiva",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "All versions prior to version 2.2.4"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Stored XSS"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
            "refsource": "BUGTRAQ",
            "url": "https://seclists.org/bugtraq/2019/Apr/47"
          },
          {
            "name": "[maven-users] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97@%3Cusers.maven.apache.org%3E"
          },
          {
            "name": "[archiva-users] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3@%3Cusers.archiva.apache.org%3E"
          },
          {
            "name": "[oss-security] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2019/04/30/7"
          },
          {
            "name": "http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html"
          },
          {
            "name": "http://archiva.apache.org/security.html#CVE-2019-0213",
            "refsource": "MISC",
            "url": "http://archiva.apache.org/security.html#CVE-2019-0213"
          },
          {
            "name": "[archiva-issues] 20190501 [jira] [Created] (MRM-1987) Port security fixes for 2.2.4 to 3.0.0",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb@%3Cissues.archiva.apache.org%3E"
          },
          {
            "name": "108123",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/108123"
          },
          {
            "name": "[announce] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d@%3Cannounce.apache.org%3E"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,2.2.4)",
          "affected_versions": "All versions before 2.2.4",
          "cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2019-05-06",
          "description": "In Apache Archiva it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised.",
          "fixed_versions": [
            "2.2.4"
          ],
          "identifier": "CVE-2019-0213",
          "identifiers": [
            "CVE-2019-0213"
          ],
          "not_impacted": "All versions starting from 2.2.4",
          "package_slug": "maven/org.apache.archiva/archiva-webapp",
          "pubdate": "2019-04-30",
          "solution": "Upgrade to version 2.2.4 or above.",
          "title": "Improper Input Validation",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-0213",
            "http://archiva.apache.org/security.html#CVE-2019-0213",
            "http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html",
            "http://www.securityfocus.com/bid/108123"
          ],
          "uuid": "504573d5-5ec5-4a07-b46b-b7454ecc3496"
        },
        {
          "affected_range": "(,2.2.4)",
          "affected_versions": "All versions before 2.2.4",
          "cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2019-05-06",
          "description": "In Apache Archiva it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised.",
          "fixed_versions": [
            "2.2.4"
          ],
          "identifier": "CVE-2019-0213",
          "identifiers": [
            "CVE-2019-0213"
          ],
          "not_impacted": "All versions starting from 2.2.4",
          "package_slug": "maven/org.apache.archiva/archiva",
          "pubdate": "2019-04-30",
          "solution": "Upgrade to version 2.2.4 or above.",
          "title": "Improper Input Validation",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-0213",
            "http://archiva.apache.org/security.html#CVE-2019-0213",
            "http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html",
            "http://www.securityfocus.com/bid/108123"
          ],
          "uuid": "f224c596-7694-4d22-b971-8b1b98236769"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:archiva:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.2.4",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2019-0213"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
              "refsource": "BUGTRAQ",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://seclists.org/bugtraq/2019/Apr/47"
            },
            {
              "name": "[maven-users] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97@%3Cusers.maven.apache.org%3E"
            },
            {
              "name": "[archiva-users] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3@%3Cusers.archiva.apache.org%3E"
            },
            {
              "name": "[oss-security] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2019/04/30/7"
            },
            {
              "name": "http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html"
            },
            {
              "name": "http://archiva.apache.org/security.html#CVE-2019-0213",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://archiva.apache.org/security.html#CVE-2019-0213"
            },
            {
              "name": "[archiva-issues] 20190501 [jira] [Created] (MRM-1987) Port security fixes for 2.2.4 to 3.0.0",
              "refsource": "MLIST",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb@%3Cissues.archiva.apache.org%3E"
            },
            {
              "name": "108123",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/108123"
            },
            {
              "name": "[announce] 20190430 [SECURITY] CVE-2019-0213: Apache Archiva Stored XSS",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d@%3Cannounce.apache.org%3E"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.5,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2020-08-24T17:37Z",
      "publishedDate": "2019-04-30T22:29Z"
    }
  }
}

GHSA-CQCF-4G4H-RGHF

Vulnerability from github – Published: 2019-05-14 04:00 – Updated: 2021-05-11 16:14

Summary

Cross-site scripting in Apache Archiva

Details

In Apache Archiva before 2.2.4, it is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.

Severity ?

6.5 (Medium)


                  
                    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.archiva:archiva"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-0213"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-05-03T15:36:51Z",
    "nvd_published_at": "2019-04-30T22:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In Apache Archiva before 2.2.4, it is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.",
  "id": "GHSA-cqcf-4g4h-rghf",
  "modified": "2021-05-11T16:14:58Z",
  "published": "2019-05-14T04:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0213"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3@%3Cusers.archiva.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d@%3Cannounce.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb@%3Cissues.archiva.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97@%3Cusers.maven.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/Apr/47"
    },
    {
      "type": "WEB",
      "url": "http://archiva.apache.org/security.html#CVE-2019-0213"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/04/30/7"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/108123"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cross-site scripting in Apache Archiva"
}

CNVD-2019-26509

Vulnerability from cnvd - Published: 2019-08-01

Title

Apache Archiva输入验证错误漏洞（CNVD-2019-26509）

Description

Apache Archiva是美国阿帕奇（Apache）软件基金会的一套用于管理一个或多个远程存储的软件。该软件提供远程Repository代理、基于角色的安全访问管理和使用情况报告等功能。 Apache Archiva 2.2.4之前版本中存在输入验证错误漏洞，该漏洞源于网络系统或产品未对输入的数据进行正确的验证，攻击者可通过工件上载机制利用该漏洞在任意位置将文件写入archiva服务器。

Severity

中

Patch Name

Apache Archiva输入验证错误漏洞（CNVD-2019-26509）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： http://archiva.apache.org/security.html#CVE-2019-0213

Reference

https://web.nvd.nist.gov//vuln/detail/CVE-2019-0213 http://archiva.apache.org/security.html#CVE-2019-0213

Impacted products

Name
Apache Archiva <2.2.4

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "108123"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-0213",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0213"
    }
  },
  "description": "Apache Archiva\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u7528\u4e8e\u7ba1\u7406\u4e00\u4e2a\u6216\u591a\u4e2a\u8fdc\u7a0b\u5b58\u50a8\u7684\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u63d0\u4f9b\u8fdc\u7a0bRepository\u4ee3\u7406\u3001\u57fa\u4e8e\u89d2\u8272\u7684\u5b89\u5168\u8bbf\u95ee\u7ba1\u7406\u548c\u4f7f\u7528\u60c5\u51b5\u62a5\u544a\u7b49\u529f\u80fd\u3002\n\nApache Archiva 2.2.4\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u5bf9\u8f93\u5165\u7684\u6570\u636e\u8fdb\u884c\u6b63\u786e\u7684\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5de5\u4ef6\u4e0a\u8f7d\u673a\u5236\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u4efb\u610f\u4f4d\u7f6e\u5c06\u6587\u4ef6\u5199\u5165archiva\u670d\u52a1\u5668\u3002",
  "discovererName": "Apache",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttp://archiva.apache.org/security.html#CVE-2019-0213",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-26509",
  "openTime": "2019-08-01",
  "patchDescription": "Apache Archiva\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u7528\u4e8e\u7ba1\u7406\u4e00\u4e2a\u6216\u591a\u4e2a\u8fdc\u7a0b\u5b58\u50a8\u7684\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u63d0\u4f9b\u8fdc\u7a0bRepository\u4ee3\u7406\u3001\u57fa\u4e8e\u89d2\u8272\u7684\u5b89\u5168\u8bbf\u95ee\u7ba1\u7406\u548c\u4f7f\u7528\u60c5\u51b5\u62a5\u544a\u7b49\u529f\u80fd\u3002\r\n\r\nApache Archiva 2.2.4\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u5bf9\u8f93\u5165\u7684\u6570\u636e\u8fdb\u884c\u6b63\u786e\u7684\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5de5\u4ef6\u4e0a\u8f7d\u673a\u5236\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u4efb\u610f\u4f4d\u7f6e\u5c06\u6587\u4ef6\u5199\u5165archiva\u670d\u52a1\u5668\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Archiva\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff08CNVD-2019-26509\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Archiva \u003c2.2.4"
  },
  "referenceLink": "https://web.nvd.nist.gov//vuln/detail/CVE-2019-0213\r\nhttp://archiva.apache.org/security.html#CVE-2019-0213",
  "serverity": "\u4e2d",
  "submitTime": "2019-04-30",
  "title": "Apache Archiva\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff08CNVD-2019-26509\uff09"
}

FKIE_CVE-2019-0213

Vulnerability from fkie_nvd - Published: 2019-04-30 22:29 - Updated: 2024-11-21 04:16

Severity ?

6.5 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Summary

References

URL	Tags
security@apache.org	http://archiva.apache.org/security.html#CVE-2019-0213	Vendor Advisory
security@apache.org	http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html	Third Party Advisory, VDB Entry
security@apache.org	http://www.openwall.com/lists/oss-security/2019/04/30/7	Mailing List, Third Party Advisory
security@apache.org	http://www.securityfocus.com/bid/108123	Third Party Advisory, VDB Entry
security@apache.org	https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3%40%3Cusers.archiva.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d%40%3Cannounce.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97%40%3Cusers.maven.apache.org%3E
security@apache.org	https://seclists.org/bugtraq/2019/Apr/47	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://archiva.apache.org/security.html#CVE-2019-0213	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2019/04/30/7	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/108123	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3%40%3Cusers.archiva.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d%40%3Cannounce.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97%40%3Cusers.maven.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://seclists.org/bugtraq/2019/Apr/47	Mailing List, Third Party Advisory

Impacted products

	Vendor	Product	Version
	apache	archiva	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:archiva:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6AB5FF1B-F9F2-458C-BFE7-BA144AE1CAF2",
              "versionEndExcluding": "2.2.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised."
    },
    {
      "lang": "es",
      "value": "En Apache Archiva anterior a versi\u00f3n 2.2.4, puede ser posible almacenar c\u00f3digo XSS malicioso en entradas de configuraci\u00f3n central, es decir, la URL logo. La vulnerabilidad es considerada un riesgo menor, ya que solo los usuarios con rol de administrador pueden cambiar la configuraci\u00f3n, o la comunicaci\u00f3n entre el navegador y el servidor Archiva debe verse comprometida."
    }
  ],
  "id": "CVE-2019-0213",
  "lastModified": "2024-11-21T04:16:30.047",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.5,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-04-30T22:29:00.793",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://archiva.apache.org/security.html#CVE-2019-0213"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2019/04/30/7"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/108123"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3%40%3Cusers.archiva.apache.org%3E"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d%40%3Cannounce.apache.org%3E"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E"
    },
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97%40%3Cusers.maven.apache.org%3E"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/Apr/47"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://archiva.apache.org/security.html#CVE-2019-0213"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2019/04/30/7"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/108123"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3%40%3Cusers.archiva.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d%40%3Cannounce.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97%40%3Cusers.maven.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/Apr/47"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-0213 (GCVE-0-2019-0213)

GSD-2019-0213

GHSA-CQCF-4G4H-RGHF

CNVD-2019-26509

FKIE_CVE-2019-0213

Tags

Sightings

Nomenclature