Archiva
  1. Archiva
  2. MRM-1438

CSRF vulnerability - Archiva doesn't check which form sends credentials

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 1.3.1
    • Fix Version/s: 1.3.2
    • Component/s: Users/Security
    • Labels:
      None

      Description

      As reported by Anatolia Security Research Group, Apache Archiva doesn't check which form sends credentials. An attacker can create a specially crafted page and force archiva administrators to view it and change their credentials.

      Vulnerability reference key: [CVE-2010-3449] Apache Archiva CSRF Vulnerability

        Activity

        Maria Odea Ching created issue -
        Hide
        Maria Odea Ching added a comment -

        Fixed in -r1038518:

        • upgrade to Redback 1.2.4 where this issue was fixed
        • enable referrer check by default for security interceptor in Archiva
        Show
        Maria Odea Ching added a comment - Fixed in -r1038518 : upgrade to Redback 1.2.4 where this issue was fixed enable referrer check by default for security interceptor in Archiva
        Maria Odea Ching made changes -
        Field Original Value New Value
        Fix Version/s 1.3.2 [ 16673 ]
        Assignee Maria Odea Ching [ oching ]
        Resolution Fixed [ 1 ]
        Status Open [ 1 ] Closed [ 6 ]
        Mark Thomas made changes -
        Project Import Sun Apr 05 08:30:08 UTC 2015 [ 1428222608952 ]
        Mark Thomas made changes -
        Workflow jira [ 12708251 ] Default workflow, editable Closed status [ 12737723 ]
        Mark Thomas made changes -
        Project Import Sun Apr 05 21:01:51 UTC 2015 [ 1428267711911 ]
        Mark Thomas made changes -
        Workflow jira [ 12945091 ] Default workflow, editable Closed status [ 12982454 ]
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Closed Closed
        5m 18s 1 Maria Odea Ching 29/Nov/10 20:46

          People

          • Assignee:
            Maria Odea Ching
            Reporter:
            Maria Odea Ching
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development