6.8

CVE-2010-3449

Cross-site request forgery (CSRF) vulnerability in Redback before 1.2.4, as used in Apache Archiva 1.0 through 1.0.3, 1.1 through 1.1.4, 1.2 through 1.2.2, and 1.3 through 1.3.1; and Apache Continuum 1.3.6, 1.4.0, and 1.1 through 1.2.3.1; allows remote attackers to hijack the authentication of administrators for requests that modify credentials.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Jesse McconnellRedback Version <= 1.2.3
Jesse McconnellRedback Version1.0
Jesse McconnellRedback Version1.0 Updatealpha4
Jesse McconnellRedback Version1.0.1
Jesse McconnellRedback Version1.0.2
Jesse McconnellRedback Version1.0.3
Jesse McconnellRedback Version1.1
Jesse McconnellRedback Version1.1.1
Jesse McconnellRedback Version1.1.2
Jesse McconnellRedback Version1.2
Jesse McconnellRedback Version1.2 Updatebeta1
Jesse McconnellRedback Version1.2 Updatebeta2
Jesse McconnellRedback Version1.2.1
Jesse McconnellRedback Version1.2.2
ApacheArchiva Version1.0
ApacheArchiva Version1.0.1
ApacheArchiva Version1.0.2
ApacheArchiva Version1.0.3
ApacheArchiva Version1.1
ApacheArchiva Version1.1.1
ApacheArchiva Version1.1.2
ApacheArchiva Version1.1.3
ApacheArchiva Version1.1.4
ApacheArchiva Version1.2
ApacheArchiva Version1.2.1
ApacheArchiva Version1.2.2
ApacheArchiva Version1.3
ApacheArchiva Version1.3.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.84% 0.909
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

http://archiva.apache.org/security.html
http://continuum.apache.org/security.html
http://jira.codehaus.org/browse/MRM-1438
http://mail-archives.apache.org/mod_mbox/archiva-users/201011.mbox/ajax/%3CAANLkTimXejHAuXdoUKLN=GkNty1_XnRCbv0YA0T2cS_2%40mail.gmail.com%3E
http://mail-archives.apache.org/mod_mbox/continuum-users/201102.mbox/%3C032C189E-D821-4833-A8F2-F72365147695%40apache.org%3E
http://seclists.org/fulldisclosure/2011/Feb/238
http://secunia.com/advisories/42376
Vendor Advisory
http://secunia.com/advisories/43261
http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/archiva-modules/archiva-web/archiva-webapp/src/main/resources/struts.xml?r1=1038518&r2=1038517&pathrev=1038518
Patch
http://svn.apache.org/viewvc/archiva/branches/archiva-1.3.x/pom.xml?r1=1038518&r2=1038517&pathrev=1038518
Patch
http://svn.apache.org/viewvc?view=revision&revision=1038518
http://svn.apache.org/viewvc?view=revision&revision=1066010
http://www.osvdb.org/69520
http://www.securityfocus.com/archive/1/514937/100/0/threaded
http://www.securityfocus.com/archive/1/516341/100/0/threaded
http://www.securityfocus.com/bid/45095
http://www.securitytracker.com/id?1025066
http://www.vupen.com/english/advisories/2010/3098
Vendor Advisory
http://www.vupen.com/english/advisories/2011/0373