CSRF vulnerability - Continuum doesn't check which form sends credentials

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.3.7, 1.4.1
Component/s: Security
Labels:
None

Complexity:
Intermediate
Number of attachments :
0

Description

As reported by Anatolia Security Research Group, Apache Archiva doesn't check which form sends credentials. An attacker can create a specially crafted page and force archiva administrators to view it and change their credentials.

Vulnerability reference key: [CVE-2010-3449] Apache Archiva CSRF Vulnerability

Activity

Ascending order - Click to sort in descending order

Brett Porter made changes - 01/Feb/11 5:48 AM

Field	Original Value	New Value
Project	Archiva [ 10980 ]	Continuum [ 10540 ]
Key	MRM-1454	~~CONTINUUM-2603~~
Fix Version/s		1.3.7 [ 17117 ]
Fix Version/s		1.4.1 (Beta) [ 15104 ]
Fix Version/s	1.3.2 [ 16673 ]
Component/s		Security [ 12430 ]
Component/s	Users/Security [ 12505 ]
Complexity		Intermediate

Hide

Permalink

Brett Porter added a comment - 01/Feb/11 5:49 AM

Also affects Continuum

Show

Brett Porter added a comment - 01/Feb/11 5:49 AM Also affects Continuum

Brett Porter made changes - 01/Feb/11 5:50 AM

Status	Open [ 1 ]	Closed [ 6 ]
Assignee	Maria Odea Ching [ oching ]	Brett Porter [ brettporter ]
Resolution		Fixed [ 1 ]

People

Assignee:

Brett Porter

Reporter:

Maria Odea Ching

Vote (0)

Watch (0)

Dates

Created:

01/Feb/11 5:47 AM

Updated:

01/Feb/11 5:50 AM

Resolved:

01/Feb/11 5:50 AM