Description
Apache Archiva 1.0 through 1.0.3, 1.1 through 1.1.4, 1.2 through 1.2.2, and 1.3 through 1.3.1 does not require entry of the administrator's password at the time of modifying a user account, which makes it easier for context-dependent attackers to gain privileges by leveraging a (1) unattended workstation or (2) cross-site request forgery (CSRF) vulnerability, a related issue to CVE-2010-3449.
References (3)
Core 3
Core References
Various Sources mailing-list
x_refsource_mlist
http://mail-archives.apache.org/mod_mbox/archiva-users/201011.mbox/ajax/%3CAANLkTimXejHAuXdoUKLN=GkNty1_XnRCbv0YA0T2cS_2%40mail.gmail.com%3E
Various Sources x_refsource_confirm
http://archiva.apache.org/security.html
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/514937/100/0/threaded
Scores
EPSS
0.0202
EPSS Percentile
78.7%
Details
CWE
CWE-79
Status
published
Products (15)
apache/archiva
1.0
apache/archiva
1.0.1
apache/archiva
1.0.2
apache/archiva
1.0.3
apache/archiva
1.1
apache/archiva
1.1.1
apache/archiva
1.1.2
apache/archiva
1.1.3
apache/archiva
1.1.4
apache/archiva
1.2
... and 5 more
Published
Dec 06, 2010
Tracked Since
Feb 18, 2026