CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server
CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server
Severity: Medium
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Archiva 2.0.0 - 2.2.3
The unsupported versions 1.x are also affected.
It is possible to write files to the archiva server at arbitrary locations by using the artifact upload mechanism.
Existing files can be overwritten, if the archiva run user has appropriate permission on the filesystem for the target file.
Mitigation:
It is highly recommended to upgrade to Archiva 2.2.4 or higher, where
additional validations are implemented to prevent such malicious
parameter values.
As intermediate action you may reduce the number
of users that are allowed to upload to archiva and make sure, that the
archiva run user may have only
write permission to the directories needed.
References:
http://archiva.apache.org/security.html#CVE-2019-0214
The newest Archiva version can be downloaded from:
http://archiva.apache.org/download.cgi
CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server的更多相关文章
- struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite
catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...
- 使用Apache Archiva搭建Maven Repository Server
关于 Maven 私服 的搭建 这里 采用 Apache Archiva 的 Standanlone 模式来安装 1) 首先到archiva主页上下载最新版(Archiva 2.2.1 Standal ...
- apache php upload file
/********************************************************************************* * apache php uplo ...
- 使用Apache Archiva管理Maven仓库
1 . 私服简介 私服是架设在局域网的一种特殊的远程仓库,目的是代理远程仓库及部署第三方构件.有了私服之后,当 Maven 需要下载构件时,直接请求私服,私服上存在则下载到本地仓库:否则,私服请求外部 ...
- CVE-2019-0213: Apache Archiva Stored XSS
CVE-2019-0213: Apache Archiva Stored XSS Severity: Low Vendor:The Apache Software Foundation Version ...
- 奇葩问题:This file could not be checked in because the original version of the file on the server was moved or deleted. A new version of this file has been saved to the server, but your check-in comments were not saved
"This file could not be checked in because the original version of the file on the server was m ...
- Error parsing 'file:///media/RHEL_5.5\\ x86_64\\ DVD/Server'
Error parsing 'file:///media/RHEL_5.5\\ x86_64\\ DVD/Server' http://lindows.iteye.com/blog/456637 ht ...
- 重启Apache报错apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName ... waiting的解决方法
启动apache提示 : apache2: Could not reliably determine the server's fully qualified domain name, using 1 ...
- 启动httpd服务:SSLCertificateFile: file '/var/www/miq/vmdb/certs/server.cer' does not exist or is empty
启动httpd服务,失败: [root@test vmdb]# service httpd restart Stopping httpd: [FAILED] Starting httpd: Synta ...
随机推荐
- MySQL数据库备份之mysqldump
创建用户备份的用户 MariaDB [mysql]> create user 'backdata'@'localhost' identified by 'test@123456';Query O ...
- 123457123457---com.threeapp.ShuiShiYanLiWang01----谁是眼力王
com.threeapp.ShuiShiYanLiWang01----谁是眼力王
- confluent kafka connect remote debugging
1. Deep inside of kafka-connect start up To begin with, let's take a look at how kafka connect start ...
- 树形DP入门学习
这里是学习韦神的6道入门树形dp进行入门,本来应放在day12&&13里,但感觉这个应该单独放出来好点. 这里大部分题目都是参考的韦神的思想. A - Anniversary part ...
- 域账号修改后,导致vs中的git连接失败
域账号修改后,导致vs中的git连接失败, fatal: Authentication failed for https://blog.csdn.net/qq_34665539/article/det ...
- pycharm操作Django基础部分
原文地址:https://www.cnblogs.com/feixuelove1009/p/5823135.html
- CentOS系统安装启动tomcat
我们可以通过xftp工具将tomcat文件上传至CentOS系统指定文件夹中 一.安装tomcat 进入tomcat存放目录解压: tar -zxf apache-tomcat-9.0.2.tar.g ...
- javascript高德地图放到网页中的方法
javascript高德地图放到网页中的方法 1 先获取到经纬度http://lbs.amap.com/console/show/picker 2 下面代码直接设置下中心点 和标记点就可以了 < ...
- uwp,c#,全屏播放保持屏幕响应
在开发视频app的时候,全屏播放一段时间内没有电脑操作,电脑会自动进入睡眠模式,这时就要多写些代码来保持响应了. (这里使用的是MediaElement播放控件,MediaElement需要手动添加代 ...
- Hive 数据类型及操作数据库
3. Hive 数据类型 3.1 基本数据类型 Hive 数据类型 Java 数据类型 长度 TINYINT byte 1 byte 有符号整数 SMALINT short 2 byte 有符号整数 ...