<?xml version="1.0" encoding="UTF-8"?>
<mail id="%3cAANLkTimXejHAuXdoUKLN=GkNty1_XnRCbv0YA0T2cS_2@mail.gmail.com%3e">
 <from><![CDATA[Deng Ching &lt;och...@apache.org&gt;]]></from>
 <subject><![CDATA[[CVE-2010-3449] Apache Archiva CSRF Vulnerability]]></subject>
 <date><![CDATA[Mon, 29 Nov 2010 23:13:32 GMT]]></date>
 <contents><![CDATA[CVE-2010-3449: Apache Archiva CSRF Vulnerability&#010;&#010;Severity: Important&#010;&#010;Vendor:&#010;The Apache Software Foundation&#010;&#010;Versions Affected:&#010;Archiva 1.0 to 1.0.3 (end of life)&#010;Archiva 1.1 to 1.1.4 (end of life)&#010;Archiva 1.2 to 1.2.2 (end of life)&#010;Archiva 1.3 to 1.3.1&#010;&#010;Description:&#010;Apache Archiva doesn't check which form sends credentials. An attacker&#010;can create a specially crafted page and force archiva administrators&#010;to view it and change their credentials. To fix this, a referrer check&#010;was added to the security interceptor for all secured actions. A&#010;prompt for the administrator's password when changing a user account&#010;was also set in place.&#010;&#010;Mitigation:&#010;All users should upgrade to 1.3.2 (http://archiva.apache.org/download.html)&#010;&#010;Credit:&#010;This issue was discovered by Anatolia Security Research Group&#010;&#010;References:&#010;http://archiva.apache.org/security.html&#010;&#010;&#010;Thanks,&#010;The Apache Archiva Team&#010;&#010;]]></contents>
 <mime>
<part ct="text/plain" cd="inline" cte="None" length="886" link="/" />
 </mime>
</mail>

