Home page logo

bugtraq logo Bugtraq mailing list archives

[CVE-2010-3449] Apache Archiva CSRF Vulnerability
From: Deng Ching <oching () apache org>
Date: Tue, 30 Nov 2010 07:13:32 +0800

CVE-2010-3449: Apache Archiva CSRF Vulnerability

Severity: Important

The Apache Software Foundation

Versions Affected:
Archiva 1.0 to 1.0.3 (end of life)
Archiva 1.1 to 1.1.4 (end of life)
Archiva 1.2 to 1.2.2 (end of life)
Archiva 1.3 to 1.3.1

Apache Archiva doesn't check which form sends credentials. An attacker
can create a specially crafted page and force archiva administrators
to view it and change their credentials. To fix this, a referrer check
was added to the security interceptor for all secured actions. A
prompt for the administrator's password when changing a user account
was also set in place.

All users should upgrade to 1.3.2 (http://archiva.apache.org/download.html)

This issue was discovered by Anatolia Security Research Group


The Apache Archiva Team

  By Date           By Thread  

Current thread:
  • [CVE-2010-3449] Apache Archiva CSRF Vulnerability Deng Ching (Nov 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]