CVE-2017-5657

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2017-5657

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-5657.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2017-5657

Aliases

GHSA-hf4p-mhc8-x2gp

Published

2017-05-22T18:29:00Z

Modified

2024-09-03T01:52:36.368984Z

Severity

8.0 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forgery (CSRF) attacks. A malicious site opened in the same browser as the archiva site, may send an HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session (e.g. administrator rights).

References

Affected packages

Git / github.com/apache/archiva

Affected ranges

Type: GIT
Repo: https://github.com/apache/archiva
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

64f4bc5e0eced86cf0219cf1ea7a67190fe885bd

Affected versions

archiva-2.*

archiva-2.1.0

archiva-2.1.1

archiva-2.2.0

archiva-2.2.1