Archiva
  1. Archiva
  2. MRM-1438

CSRF vulnerability - Archiva doesn't check which form sends credentials

    Details

    • Type: Bug Bug
    • Status: Closed Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 1.3.1
    • Fix Version/s: 1.3.2
    • Component/s: Users/Security
    • Labels:
      None
    • Number of attachments :
      0

      Description

      As reported by Anatolia Security Research Group, Apache Archiva doesn't check which form sends credentials. An attacker can create a specially crafted page and force archiva administrators to view it and change their credentials.

      Vulnerability reference key: [CVE-2010-3449] Apache Archiva CSRF Vulnerability

        Activity

        Hide
        Maria Odea Ching added a comment -

        Fixed in -r1038518:

        • upgrade to Redback 1.2.4 where this issue was fixed
        • enable referrer check by default for security interceptor in Archiva
        Show
        Maria Odea Ching added a comment - Fixed in -r1038518 : upgrade to Redback 1.2.4 where this issue was fixed enable referrer check by default for security interceptor in Archiva

          People

          • Assignee:
            Maria Odea Ching
            Reporter:
            Maria Odea Ching
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: