www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Deng Ching <och...@apache.org>
Subject [CVE-2010-3449] Apache Archiva CSRF Vulnerability
Date Wed, 01 Dec 2010 09:45:18 GMT
CVE-2010-3449: Apache Archiva CSRF Vulnerability

Severity: Important

The Apache Software Foundation

Versions Affected:
Archiva 1.0 to 1.0.3 (end of life)
Archiva 1.1 to 1.1.4 (end of life)
Archiva 1.2 to 1.2.2 (end of life)
Archiva 1.3 to 1.3.1

Apache Archiva doesn't check which form sends credentials. An attacker
can create a specially crafted page and force archiva administrators
to view it and change their credentials. To fix this, a referrer check
was added to the security interceptor for all secured actions. A
prompt for the administrator's password when changing a user account
was also set in place.

All users should upgrade to 1.3.2 (http://archiva.apache.org/download.html)

This issue was discovered by Anatolia Security Research Group


The Apache Archiva Team

To unsubscribe, e-mail: announce-unsubscribe@apache.org 
For additional commands, e-mail: announce-help@apache.org 

View raw message