GHSA-463w-hxfv-g9f6

Source

https://github.com/advisories/GHSA-463w-hxfv-g9f6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-463w-hxfv-g9f6/GHSA-463w-hxfv-g9f6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-463w-hxfv-g9f6

Aliases

CVE-2022-40308

Published

2022-11-15T19:00:52Z

Modified

2023-11-08T04:10:23.285735Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Apache Archiva vulnerable to Sensitive Information Disclosure via anonymous user

Details

Apache Archiva prior to 2.2.9 may allow the anonymous user to read arbitrary files. If anonymous read enabled, it's possible to read the database file directly without logging in.

Database specific

{
    "github_reviewed": true,
    "severity": "HIGH",
    "github_reviewed_at": "2022-11-22T00:17:45Z",
    "nvd_published_at": "2022-11-15T13:15:00Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-862"
    ]
}

References

Affected packages

Maven / org.apache.archiva:archiva-common

Package

Name: org.apache.archiva:archiva-common; View open source insights on deps.dev
Purl: pkg:maven/org.apache.archiva/archiva-common

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.2.9

Affected versions

1.*

1.1

1.1.1

1.1.2

1.1.3

1.1.4

1.2-M1

1.2

1.2.1

1.2.2

1.3

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.8

1.3.9

1.4-M1

1.4-M2

1.4-M3

1.4-M4

2.*

2.0.0

2.0.1

2.1.0

2.1.1

2.2.0

2.2.1

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8