8

CVE-2017-5657

Several REST service endpoints of Apache Archiva are not protected against Cross Site Request Forgery (CSRF) attacks. A malicious site opened in the same browser as the archiva site, may send an HTML response that performs arbitrary actions on archiva services, with the same rights as the active archiva session (e.g. administrator rights).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheArchiva Version <= 2.2.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.87% 0.54
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8 2.1 5.9
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov 6 6.8 6.4
AV:N/AC:M/Au:S/C:P/I:P/A:P
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
http://archiva.apache.org/security.html#CVE-2017-5657
Patch
Vendor Advisory
http://www.securityfocus.com/bid/98570
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1038528