CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server

Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
    Apache Archiva 2.0.0 - 2.2.3
    The unsupported versions 1.x are also affected.

It is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism.
Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.

Mitigation:
 
It is highly recommended to upgrade to Archiva 2.2.4 or higher, where
additional validations are implemented to prevent such malicious
parameter values.
  As intermediate action you may reduce the number
of users that are allowed to upload to archiva and make sure, that the
archiva run user may have only
  write permission to the directories needed.

References:
http://archiva.apache.org/security.html#CVE-2019-0214

The newest Archiva version can be downloaded from:
http://archiva.apache.org/download.cgi

CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server的更多相关文章

  1. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  2. 使用Apache Archiva搭建Maven Repository Server

    关于 Maven 私服 的搭建 这里 采用 Apache Archiva 的 Standanlone 模式来安装 1) 首先到archiva主页上下载最新版(Archiva 2.2.1 Standal ...

  3. apache php upload file

    /********************************************************************************* * apache php uplo ...

  4. 使用Apache Archiva管理Maven仓库

    1 . 私服简介 私服是架设在局域网的一种特殊的远程仓库,目的是代理远程仓库及部署第三方构件.有了私服之后,当 Maven 需要下载构件时,直接请求私服,私服上存在则下载到本地仓库:否则,私服请求外部 ...

  5. CVE-2019-0213: Apache Archiva Stored XSS

    CVE-2019-0213: Apache Archiva Stored XSS Severity: Low Vendor:The Apache Software Foundation Version ...

  6. 奇葩问题:This file could not be checked in because the original version of the file on the server was moved or deleted. A new version of this file has been saved to the server, but your check-in comments were not saved

    "This file could not be checked in because the original version of the file on the server was m ...

  7. Error parsing 'file:///media/RHEL_5.5\\ x86_64\\ DVD/Server'

    Error parsing 'file:///media/RHEL_5.5\\ x86_64\\ DVD/Server' http://lindows.iteye.com/blog/456637 ht ...

  8. 重启Apache报错apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName ... waiting的解决方法

    启动apache提示 : apache2: Could not reliably determine the server's fully qualified domain name, using 1 ...

  9. 启动httpd服务:SSLCertificateFile: file '/var/www/miq/vmdb/certs/server.cer' does not exist or is empty

    启动httpd服务,失败: [root@test vmdb]# service httpd restart Stopping httpd: [FAILED] Starting httpd: Synta ...

随机推荐

  1. The pom for XXX is missing,no dependency information available

    笔者进行性能测试时,碰到如下问题 性能测试代码编写,调试通过之后.使用cmd进入项目根目录,意图打包导出项目中所有的依赖包,以便导入至jmeter工具中 cmd中使用命令:mvn dependency ...

  2. @Component默认是单例还是多例?

    @Component默认是单例还是多例?   答: @Component注解默认实例化的对象是单例,如果想声明成多例对象可以使用@Scope("prototype") @Repos ...

  3. Spring Cloud(7.3):配置Consumer Server

    接下来我们创建一个消费者服务.消费者服务从生产者服务拿取商品-价格信息,并保存在Redis中.同时,接收消息队列中生产者服务的更新提示,如果某个商品-价格被修改,则删除Redis中的缓存数据,并重新从 ...

  4. macpro锁屏后没有进入睡眠

    使用命令pmset -g查看,如图,钉钉阻止了屏幕的睡眠,找了下钉钉的配置,也没有发现有关的内容,重启钉钉后问题解决 displaysleep 10 (display sleep prevented ...

  5. 浅出讲解:php的socket通信

    原文地址:https://www.cnblogs.com/aipiaoborensheng/p/6708963.html 对TCP/IP.UDP.Socket编程这些词你不会很陌生吧?随着网络技术的发 ...

  6. 最新 美柚java校招面经 (含整理过的面试题大全)

    从6月到10月,经过4个月努力和坚持,自己有幸拿到了网易雷火.京东.去哪儿. 美柚等10家互联网公司的校招Offer,因为某些自身原因最终选择了 美柚.6.7月主要是做系统复习.项目复盘.LeetCo ...

  7. 最新 中手游java校招面经 (含整理过的面试题大全)

    从6月到10月,经过4个月努力和坚持,自己有幸拿到了网易雷火.京东.去哪儿.中手游等10家互联网公司的校招Offer,因为某些自身原因最终选择了中手游.6.7月主要是做系统复习.项目复盘.LeetCo ...

  8. 第一周--------Java的特性和优势

    --------我认可的1.跨平台性:   Java 的int 永远是32位,不像C++可能是16.,32 可能是根据编译器厂商规定的变化.这样的话,程序的移植就会变得困难2.安全性    Java ...

  9. sql server代理服务无法启动(SQL Agent):OpenSQLServerInstanceRegKey:GetRegKeyAccessMask failed (reason: 2).

    问题:从windows自带的事件查看器中查看到报错信息如下 OpenSQLServerInstanceRegKey:GetRegKeyAccessMask failed (reason: 2). (注 ...

  10. php使用ffmpeg获取上传的视频的时长,码率等信息

    视频上传是程序员在很多时候需要用到的操作,然而上传完视频肯定要获得一些视频的详细信息,php本身是不支持信息获取的 ,所以采用ffmpeg第三方插件 首先你需要下载ffmpeg文件:官网地址:http ...