Lucene search

ApacheCVE-2019-0213

HistoryApr 30, 2019 - 10:29 p.m.

CVE-2019-0213

2019-04-3022:29:00

CWE-79

apache

web.nvd.nist.gov

apache archiva

xss

security vulnerability

cve-2019-0213

nvd

CVSS2

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:P/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

6.1

Confidence

High

EPSS

0.002

Percentile

60.9%

JSON

In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised.

Affected configurations

Nvd

Node

apachearchivaRange<2.2.4

VendorProductVersionCPE
apachearchiva*cpe:2.3:a:apache:archiva:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	archiva	*	cpe:2.3:a:apache:archiva::::::::

CNA Affected

[
  {
    "product": "Apache Archiva",
    "vendor": "Apache",
    "versions": [
      {
        "status": "affected",
        "version": "All versions prior to version 2.2.4"
      }
    ]
  }
]

References

archiva.apache.org/security.html#CVE-2019-0213

packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html

www.openwall.com/lists/oss-security/2019/04/30/7

www.securityfocus.com/bid/108123

lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3%40%3Cusers.archiva.apache.org%3E

lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d%40%3Cannounce.apache.org%3E

lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E

lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97%40%3Cusers.maven.apache.org%3E

seclists.org/bugtraq/2019/Apr/47

CVSS2

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:P/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

6.1

Confidence

High

EPSS

0.002

Percentile

60.9%

JSON

Related for CVE-2019-0213