Continuum
  1. Continuum
  2. CONTINUUM-2603

CSRF vulnerability - Continuum doesn't check which form sends credentials

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.3.7, 1.4.1
    • Component/s: Security
    • Labels:
      None

      Description

      As reported by Anatolia Security Research Group, Apache Archiva doesn't check which form sends credentials. An attacker can create a specially crafted page and force archiva administrators to view it and change their credentials.

      Vulnerability reference key: [CVE-2010-3449] Apache Archiva CSRF Vulnerability

        Activity

        Maria Odea Ching created issue -
        Brett Porter made changes -
        Field Original Value New Value
        Key MRM-1454 CONTINUUM-2603
        Component/s Users/Security [ 12505 ]
        Fix Version/s 1.4.1 (Beta) [ 15104 ]
        Fix Version/s 1.3.2 [ 16673 ]
        Complexity Intermediate
        Project Archiva [ 10980 ] Continuum [ 10540 ]
        Component/s Security [ 12430 ]
        Fix Version/s 1.3.7 [ 17117 ]
        Hide
        Brett Porter added a comment -

        Also affects Continuum

        Show
        Brett Porter added a comment - Also affects Continuum
        Brett Porter made changes -
        Status Open [ 1 ] Closed [ 6 ]
        Resolution Fixed [ 1 ]
        Assignee Maria Odea Ching [ oching ] Brett Porter [ brettporter ]
        Mark Thomas made changes -
        Project Import Sun Apr 05 08:36:01 UTC 2015 [ 1428222961749 ]
        Mark Thomas made changes -
        Workflow jira [ 12711246 ] Default workflow, editable Closed status [ 12738153 ]
        Mark Thomas made changes -
        Project Import Sun Apr 05 21:12:18 UTC 2015 [ 1428268338676 ]
        Mark Thomas made changes -
        Workflow jira [ 12945908 ] Default workflow, editable Closed status [ 12983937 ]
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Closed Closed
        2m 48s 1 Brett Porter 01/Feb/11 05:50

          People

          • Assignee:
            Brett Porter
            Reporter:
            Maria Odea Ching
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development