Description
In Apache Archiva 2.0.0 - 2.2.3, it is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism. Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.
References (9)
Core 9
Core References
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/239349b6dd8f66cf87a70c287b03af451dea158b776d3dfc550b4f0e%40%3Cusers.maven.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/5851cb0214f22ba681fb445870eeb6b01afd1fb614e45a22978d7dda%40%3Cusers.archiva.apache.org%3E
Mailing List, Third Party Advisory mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Apr/48
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/04/30/8
Mitigation, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/152684/Apache-Archiva-2.2.3-File-Write-Delete.html
Vendor Advisory x_refsource_confirm
http://archiva.apache.org/security.html#CVE-2019-0214
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/108124
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/18b670afc2f83034f47ebeb2f797c350fe60f1f2b33c95b95f467ef8%40%3Cannounce.apache.org%3E
Scores
CVSS v3
6.5
EPSS
0.0165
EPSS Percentile
82.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
Status
published
Products (2)
apache/archiva
1.2 - 1.3.9
org.apache.archiva/archiva
2.2.0 - 2.2.4Maven
Published
Apr 30, 2019
Tracked Since
Feb 18, 2026