CVE-2010-4408

Currently unrated

Key Information:

Vendor: Apache
Status: Archiva
Vendor: CVE Published:; 6 December 2010

Summary

Apache Archiva 1.0 through 1.0.3, 1.1 through 1.1.4, 1.2 through 1.2.2, and 1.3 through 1.3.1 does not require entry of the administrator's password at the time of modifying a user account, which makes it easier for context-dependent attackers to gain privileges by leveraging a (1) unattended workstation or (2) cross-site request forgery (CSRF) vulnerability, a related issue to CVE-2010-3449.

References

http://archiva.apache.org/security.html

x_refsource_CONFIRM

http://mail-archives.apache.org/mod_mbox/archiva-users/20...

mailing-listx_refsource_MLIST

http://www.securityfocus.com/archive/1/514937/100/0/threaded

mailing-listx_refsource_BUGTRAQ

Timeline

Vulnerability published
Dec 6, 2010
Vulnerability Reserved
Dec 6, 2010