CVE-2024-27138

2024-03-0116:15:45

CWE-863

apache

web.nvd.nist.gov

cve-2024-27138

incorrect authorization

apache archiva

vulnerability

user registration bypass

unsupported

retired product

isolation

migration

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

6.6

Confidence

Low

EPSS

Percentile

9.0%

JSON

UNSUPPORTED WHEN ASSIGNED Incorrect Authorization vulnerability in Apache Archiva.

Apache Archiva has a setting to disable user registration, however this restriction can be bypassed. As Apache Archiva has been retired, we do not expect to release a version of Apache Archiva that fixes this issue. You are recommended to look into migrating to a different solution, or isolate your instance from any untrusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer

Affected configurations

Vulners

Vulnrichment

Node

apachearchivaRange≤2.0.0

VendorProductVersionCPE
apachearchiva*cpe:2.3:a:apache:archiva:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	archiva	*	cpe:2.3:a:apache:archiva::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Archiva",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "*",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "semver"
      }
    ]
  }
]