www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Deng Ching <och...@apache.org>
Subject [CVE-2010-3449] Apache Archiva CSRF Vulnerability
Date Wed, 01 Dec 2010 09:45:18 GMT
CVE-2010-3449: Apache Archiva CSRF Vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Archiva 1.0 to 1.0.3 (end of life)
Archiva 1.1 to 1.1.4 (end of life)
Archiva 1.2 to 1.2.2 (end of life)
Archiva 1.3 to 1.3.1

Description:
Apache Archiva doesn't check which form sends credentials. An attacker
can create a specially crafted page and force archiva administrators
to view it and change their credentials. To fix this, a referrer check
was added to the security interceptor for all secured actions. A
prompt for the administrator's password when changing a user account
was also set in place.

Mitigation:
All users should upgrade to 1.3.2 (http://archiva.apache.org/download.html)

Credit:
This issue was discovered by Anatolia Security Research Group

References:
http://archiva.apache.org/security.html


Thanks,
The Apache Archiva Team

--------------------------------------------------------------------- 
To unsubscribe, e-mail: announce-unsubscribe@apache.org 
For additional commands, e-mail: announce-help@apache.org 



Mime
View raw message