Cross Site Request Forgery Vulnerability in Apache Archiva
CVE-2017-5657

8HIGH

Key Information:

Vendor
Apache
Status
Apache Archiva
Vendor
CVE Published:
22 May 2017

Summary

Apache Archiva has a vulnerability in several of its REST service endpoints that are inadequate against Cross Site Request Forgery (CSRF) attacks. This flaw allows a malicious actor to exploit the vulnerability by tricking an authenticated user into visiting a malicious site. Once the user’s Archiva session is active, the attacker can send crafted requests that execute arbitrary actions on the Archiva services with the user’s privileges, including those of an administrator. Consequently, this vulnerability poses serious risks as it could lead to unauthorized access and manipulation of Archiva resources.

Affected Version(s)

Apache Archiva 1.x

Apache Archiva 2.0.0, 2.0.1

Apache Archiva 2.1.0, 2.1.1

References

http://archiva.apache.org/security.html#CVE-2017-5657
x_refsource_CONFIRM
http://www.securityfocus.com/bid/98570
vdb-entryx_refsource_BID
http://www.securitytracker.com/id/1038528
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.